John Hammond Presents "Lesser Known Linux Persistence Mechanisms" at Black Hat USA

In this video, John Hammond, Principal Security Researcher at Huntress, delivers a presentation titled "Lesser Known Linux Persistence Mechanisms" at Black Hat USA. The presentation focuses on persistence mechanisms in Linux, which allow an attacker to maintain access to a compromised system. Hammond begins by explaining the importance of persistence within the MITRE ATT&CK Framework, emphasizing that persistence enables an attacker to retain a foothold to cause further damage.

Hammond reviews several well-known persistence mechanisms, such as adding a backdoor user, using SSH keys, cron jobs, systemd services, and configuration files like .bashrc and .profile. He explains that while these methods are basic, they are often used for their simplicity and effectiveness. However, he warns against their lack of sophistication and stealth.

Next, Hammond explores lesser-known and more sophisticated persistence mechanisms. He mentions the use of the PROMPT_COMMAND variable, which allows commands to be executed after each terminal input. He also introduces traps that can execute commands before a main command is run. These methods can be integrated into configuration files like .bashrc for automatic execution.

Hammond also discusses advanced SSH configurations, such as using the proxy command in SSH configuration files to execute arbitrary commands upon connection. He mentions the possibility of hiding authorized SSH keys in unconventional files, making their detection more difficult.

Another interesting mechanism is the use of TCP wrapped services, which allow commands to be executed upon connection to certain services. Hammond gives the example of SNMP, a UDP protocol that can be configured to execute arbitrary commands upon connection.

Hammond addresses PAM (Pluggable Authentication Module) degradation attacks, where custom authentication modules can be used to allow access with specific passwords, bypassing normal authentication mechanisms. He mentions a recent example of Linux malware using this technique.

Finally, Hammond talks about rootkits, particularly user-mode rootkits like Prism, which use ICMP (ping) for communication, making detection more difficult. He also mentions Reptile, a Linux kernel module that can modify the kernel's responses to file reads, allowing it to hide specific modifications or files.

In conclusion, Hammond introduces Panics, a customizable Linux persistence tool for research and detection engineering, developed by Elastic. He encourages the audience to explore more persistence mechanisms and use tools like Panics to test and understand these techniques.

Hammond's presentation provides a comprehensive and detailed overview of Linux persistence mechanisms, ranging from basic techniques to advanced and sophisticated methods. It is a valuable resource for security professionals and cybersecurity enthusiasts.