Persistence

Persistence in the context of penetration testing and hacking refers to the methods used by an attacker or a penetration tester to maintain access to a system or network over a prolonged period, even through restarts, credential changes, or other disruptions. The goal of establishing persistence is to ensure continued access for ongoing exploitation, Data Exfiltration, or exploration.

Some common persistence techniques include:

  1. Creating Backdoors: Installing backdoors in software or systems, allowing attackers to bypass normal authentication mechanisms to regain access.
  2. Scheduled Tasks/Cron Jobs: Setting up tasks that automatically execute payloads at specified times or intervals.
    • Example: Using Windows Task Scheduler or Linux cron jobs to periodically run a script that reestablishes a connection to the attacker's machine.
  3. Registry Modifications: Adding entries to the Windows Registry to execute malware or scripts at system startup.
    • Example: Creating a new registry key under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run to launch a malicious executable upon user login.
  4. Startup Folder: Placing scripts or executables in system startup folders which execute upon system boot or user login.
    • Example: Adding a script to the Windows "Startup" folder or Linux's .bashrc file.
  5. Service Hijacking: Modifying existing legitimate services or creating new services to execute malicious code.
    • Example: Altering a Windows service to run a malicious executable instead of its legitimate function.
  6. Implanting Rootkits: Installing Rootkits that hide the attacker's activities and maintain access at a low level in the operating system.
    • Example: Using a kernel-mode rootkit to intercept system calls and hide the presence of an attacker's processes.
  7. Account Manipulation: Creating new user accounts or adding existing accounts to privileged groups for future access.
    • Example: Adding a new user with administrative privileges to ensure continued access.
  8. Replacing Legitimate Binaries: Swapping legitimate system binaries with modified ones that include malicious code.
    • Example: Replacing the ssh binary with a version that also logs credentials.
  9. Web Shells: Placing a web shell on a server to allow remote access through web requests.
    • Example: Uploading a PHP web shell to a vulnerable web server.