This article concludes the “Linux Persistence Detection Engineering” series by exploring advanced persistence mechanisms in Linux. Key topics include manipulation of GRUB and initramfs for persistence, exploitation of PolicyKit (Polkit) permissions, D-Bus configuration for unauthorized access, and NetworkManager dispatcher scripts. Readers are equipped with practical examples and detection strategies to bolster their defenses against Linux persistence threats. Affected: Linux systems, security frameworks, IT environments
Keypoints :
- Explores advanced persistence techniques in Linux.
- Discusses manipulation of GRUB bootloader for persistence.
- Details methods for exploiting initramfs to execute unauthorized scripts.
- Examines PolicyKit rules for gaining unauthorized privileges.
- Highlights potential abuse of D-Bus configuration files for persistent access.
- Describes the use of NetworkManager dispatcher scripts for executing payloads on network events.
- PANIX tool is used for simulating and detecting these persistence techniques.
MITRE Techniques :
- T1542: Pre-OS Boot – GRUB manipulation for persistence.
- T1543: Create or Modify System Process – Exploiting Polkit rules and D-Bus services.
- T1546: Event Triggered Execution – Using NetworkManager dispatcher scripts for persistent execution.
- T1574: Hijack Execution Flow – Modifying D-Bus service files for malicious intents.
Indicator of Compromise :
- [File] /etc/default/grub (GRUB configuration file)
- [File] /etc/polkit-1/localauthority/50-local.d/panix.pkla (Overly permissive Polkit rule)
- [File] /usr/share/dbus-1/system-services/org.panix.persistence.service (Malicious D-Bus service)
- [File] /etc/NetworkManager/dispatcher.d/panix-dispatcher.sh (Malicious dispatcher script)
- [File] /boot/initrd.img-
(Modified initramfs image)
Full Story: https://www.elastic.co/security-labs/the-grand-finale-on-linux-persistence