This is a series that explores methods attackers might use to maintain persistent access to a compromised linux system. To do this, Pberba will take an “offense informs defense” approach by going through techniques listed in the MITRE ATT&CK Matrix for Linux.
Pberba will try to:
- Give examples of how an attacker might deploy one of these backdoors
- Show how a defender might monitor and detect these installations
The diagram above gives an overview of what will be discussed in this series.
Here is the outline for the series:
- Hunting for Persistence in Linux (Part 1): Auditing, Logging and Webshells
- 1 – Server Software Component: Web Shell
- Hunting for Persistence in Linux (Part 2): Account Creation and Manipulation
- 2 – Create Account: Local Account
- 3 – Valid Accounts: Local Accounts
- 4 – Account Manipulation: SSH Authorized Keys
- Hunting for Persistence in Linux (Part 3): Systemd, Timers, and Cron
- 5 – Create or Modify System Process: Systemd Service
- 6 – Scheduled Task/Job: Systemd Timers
- 7 – Scheduled Task/Job: Cron
- Hunting for Persistence in Linux (Part 4): Initialization Scripts and Shell Configuration
- 8 – Boot or Logon Initialization Scripts: RC Scripts
- 9 – Boot or Logon Initialization Scripts: init.d
- 10 – Boot or Logon Initialization Scripts: motd
- 11 – Event Triggered Execution: Unix Shell Configuration Modification
- Hunting for Persistence in Linux (Part 5): Systemd Generators
- 12 – Boot or Logon Initialization Scripts: systemd-generators