Persistence Module

[moloch--]

Automatic per-platform (Windows/MacOS/Linux) persistence commands.

[usiegl00]

Persistence is inherently not op-sec safe due to the requirements of storing information on disk. However I think we should decide on the best methods of persisting on the 3 major OS's. (Linux, MacOS, and Windows)

Possible Options:

• Linux /tmp/... Cron is the most common way to persist on Linux. printf "*/5 * * * * /tmp/..." | crontab
• MacOS
  • User: launchctl
  • Root: emond or sudo /bin/bash -c 'echo "touch /tmp/pwned" > /etc/periodic/daily/000.pwned && chmod +x /etc/periodic/daily/000.pwned'
• Windows
  • User: Registry Keys or Scheduled Tasks

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

    schtasks /create /rp "" /tn "" /tr C:\Windows\System32\mshta.exe js-DotNet-Go /sc onlogon

  • Root: Registry Keys or at.exe

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

    C:\Windows\System32\at.exe at 08:00 /every:m,t,w,th,f,s,su C:\Windows\System32\mshta.exe js-DotNet-Go

[zero77]

These may not all be deemed op safe but, just to give some ideas for other possible Linux options:

/etc/bash.bashrc /etc/profile /etc/profile.d/* ~/.profile ~/.bash_login

Also:

• SSH Authorized Keys
• Compromise Client Software Binary
• Create Account
• Create Account: Local Account
• Create or Modify System Process
• Create or Modify System Process: Systemd Service
• Event Triggered Execution: Trap
• Event Triggered Execution
• Event Triggered Execution: .bash_profile and .bashrc
• External Remote Services
• Hijack Execution Flow
• Hijack Execution Flow: LD_PRELOAD
• Pre-OS Boot
• Pre-OS Boot: Bootkit
• Scheduled Task/Job
• Scheduled Task/Job: At (Linux)
• Scheduled Task/Job: Cron
• Server Software Component
• Server Software Component: SQL Stored Procedures
• Server Software Component: Transport Agent
• Server Software Component: Web Shell
• Traffic Signaling
• Traffic Signaling: Port Knocking
• Valid Accounts: Default Accounts
• Valid Accounts: Domain Accounts 2

[usiegl00]

Also:

• Linux /etc/rc.local
• MacOS /etc/rc.common

[vctrferreira]

How is going the development of this feature? Could I help you with any thing?

[derekkddj]

no updates in this task?

[moloch--]

This is not currently planned, typically you'd want to write your own dropper to support a feature like this. I'm not opposed to including it as feature, it's just not a priority.

[rkervella]

There's just too many / too different ways to persist on different platforms. Probably better to implement that as extensions.