Open moloch-- opened 5 years ago
Persistence is inherently not op-sec safe due to the requirements of storing information on disk. However I think we should decide on the best methods of persisting on the 3 major OS's. (Linux, MacOS, and Windows)
Possible Options:
/tmp/...
Cron is the most common way to persist on Linux.
printf "*/5 * * * * /tmp/..." | crontab
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
schtasks /create /rp "" /tn "" /tr C:\Windows\System32\mshta.exe js-DotNet-Go /sc onlogon
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
C:\Windows\System32\at.exe at 08:00 /every:m,t,w,th,f,s,su C:\Windows\System32\mshta.exe js-DotNet-Go
These may not all be deemed op safe but, just to give some ideas for other possible Linux options:
/etc/bash.bashrc /etc/profile /etc/profile.d/* ~/.profile ~/.bash_login
Also:
Also:
/etc/rc.local
/etc/rc.common
How is going the development of this feature? Could I help you with any thing?
no updates in this task?
This is not currently planned, typically you'd want to write your own dropper to support a feature like this. I'm not opposed to including it as feature, it's just not a priority.
There's just too many / too different ways to persist on different platforms. Probably better to implement that as extensions.
Automatic per-platform (Windows/MacOS/Linux) persistence commands.