sliver
sliver copied to clipboard
Persistence Module
Automatic per-platform (Windows/MacOS/Linux) persistence commands.
Persistence is inherently not op-sec safe due to the requirements of storing information on disk. However I think we should decide on the best methods of persisting on the 3 major OS's. (Linux, MacOS, and Windows)
Possible Options:
- Linux
/tmp/...
Cron is the most common way to persist on Linux.printf "*/5 * * * * /tmp/..." | crontab
- MacOS
- Windows
- User: Registry Keys or Scheduled Tasks
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
schtasks /create /rp "" /tn "" /tr C:\Windows\System32\mshta.exe js-DotNet-Go /sc onlogon
- Root: Registry Keys or at.exe
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
C:\Windows\System32\at.exe at 08:00 /every:m,t,w,th,f,s,su C:\Windows\System32\mshta.exe js-DotNet-Go
- User: Registry Keys or Scheduled Tasks
These may not all be deemed op safe but, just to give some ideas for other possible Linux options:
/etc/bash.bashrc /etc/profile /etc/profile.d/* ~/.profile ~/.bash_login
Also:
- SSH Authorized Keys
- Compromise Client Software Binary
- Create Account
- Create Account: Local Account
- Create or Modify System Process
- Create or Modify System Process: Systemd Service
- Event Triggered Execution: Trap
- Event Triggered Execution
- Event Triggered Execution: .bash_profile and .bashrc
- External Remote Services
- Hijack Execution Flow
- Hijack Execution Flow: LD_PRELOAD
- Pre-OS Boot
- Pre-OS Boot: Bootkit
- Scheduled Task/Job
- Scheduled Task/Job: At (Linux)
- Scheduled Task/Job: Cron
- Server Software Component
- Server Software Component: SQL Stored Procedures
- Server Software Component: Transport Agent
- Server Software Component: Web Shell
- Traffic Signaling
- Traffic Signaling: Port Knocking
- Valid Accounts: Default Accounts
- Valid Accounts: Domain Accounts 2
Also:
- Linux
/etc/rc.local
- MacOS
/etc/rc.common
How is going the development of this feature? Could I help you with any thing?