Secondary Categories: 02-Persistence


Description:

There are some really good backdoors that can be reference such as BPFdoor and watershell. There is a great article that breaks down BDFdoor here.

Storage

The typical move is to just place the binary in /tmp but a better method is placing it in /dev/shm this location is ram file storage so if a file is stored here then if the system crashes, reboots, or shutsdown then the file is deleted.

PID Dropper

A zero byte file can be created and placed in /var/run/<BINARY> and used to check if the file has ran on this system before. The caveat is that this file can be left on the system even after reboots

Timestompping

touch -d 20120101 /tmp/goldenfile
touch -r /tmp/goldenfile <BACKDOOR BINARY>

Resources:

TitleURL
placeholder

Also Check Out:

  • PLACEHOLDER