Secondary Categories: 02-Persistence
Description:
There are some really good backdoors that can be reference such as BPFdoor and watershell. There is a great article that breaks down BDFdoor here.
Storage
The typical move is to just place the binary in /tmp
but a better method is placing it in /dev/shm
this location is ram file storage so if a file is stored here then if the system crashes, reboots, or shutsdown then the file is deleted.
PID Dropper
A zero byte file can be created and placed in /var/run/<BINARY>
and used to check if the file has ran on this system before. The caveat is that this file can be left on the system even after reboots
Timestompping
touch -d 20120101 /tmp/goldenfile
touch -r /tmp/goldenfile <BACKDOOR BINARY>
Resources:
Title | URL |
---|---|
place | holder |
Also Check Out:
- PLACEHOLDER