> For the complete documentation index, see [llms.txt](https://www.zerohuntlabs.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.zerohuntlabs.com/linux/linux-persistence.md). # Linux Persistence The table provides a structured overview of common Linux persistence mechanisms used by attackers after initial access. Each row maps a persistence category, the technique used, how it is implemented, how it is triggered, and—most importantly—what indicators defenders (Blue Team) can monitor to detect or investigate malicious activity. Rather than focusing on exploitation, the table helps security teams understand where persistence hides, how it survives reboots, and which system artifacts reveal compromise. | Category | Technique | What is done | How it triggers | Tools / Command | Indicators for Blue Team | | --------------- | ------------------------------ | -------------------------------------------------------------------------------------------------------------- | ----------------------------------- | ------------------------------------------------------------------ | -------------------------------------------------------------------- | | Init System | systemd service | Create a unit file /etc/systemd/system/backup.service → ExecStart=/usr/bin/payload, WantedBy=multi-user.target | systemd starts it at boot | systemctl enable backup.service | systemctl list-units, journalctl -u, new file in /etc/systemd/system | | Init System | rc.local | Add line /usr/bin/payload & to /etc/rc.local | rc.local runs at boot (SysV) | echo '/usr/bin/payload &' >> /etc/rc.local; chmod +x /etc/rc.local | Modified rc.local timestamp, new process at boot | | Cron | cron @reboot | echo '@reboot root /usr/bin/payload' >> /etc/cron.d/sys-upd | Cron executes on every reboot | crontab -e or file in /etc/cron.d | cat /var/spool/cron, grep payload in crontab | | Cron | Hidden interval | \*/30 \* \* \* \* root /tmp/.x/payload in /etc/crontab | Executes every 30 minutes | echo '\*/30 \* \* \* \* root...' >> /etc/crontab | Suspicious path in crontab, /var/log/cron logs | | User-level | Shell init files | Add bash -c /home/user/.cache/.p to \~/.bashrc / \~/.profile | Loaded on interactive shell / login | echo 'bash -c \~/.cache/.p &' >> \~/.bashrc | Diff of \~/.bashrc; ps aux | | User-level | \~/.config/autostart (Desktop) | payload.desktop in \~/.config/autostart/ → Exec=/usr/bin/payload | Starts on X11/Wayland session | Create desktop file | .desktop file with suspicious Exec entry | | Kernel Modules | Loadable LKM | Compile and load insmod rk.ko; add to /etc/modules-load.d/rk.conf | Module loads at boot | insmod, modprobe rk.ko | New module in lsmod, dmesg load messages | | LD\_PRELOAD | libc hijack | Set export LD\_PRELOAD=/usr/lib/libhijack.so in /etc/profile | Every dynamic binary loads the .so | Edit /etc/profile | Check env vars, ldd shows injected .so | | Pluggable Auth | PAM backdoor | Add auth optional pam\_exec.so /usr/bin/payload to /etc/pam.d/sshd | Every SSH login triggers payload | Edit pam.d | Diff /etc/pam.d/\*; auth.log shows execution | | SSH | Authorized\_keys | Insert attacker public key into \~/.ssh/authorized\_keys | Enables passwordless login | echo 'ssh-rsa AAAA...' >> \~/.ssh/authorized\_keys | New key fingerprint, wtmp/lastlog entries | | SSH | Backdoored sshd | Recompile OpenSSH with backdoor, replace /usr/sbin/sshd | Daemon starts normally | make && cp sshd /usr/sbin/ | Checksum mismatch, package verification fails | | System Binaries | PATH hijack | Create malicious /usr/local/bin/ssh earlier in PATH | ssh command resolves to fake binary | Place fake binary; chmod +x | which ssh, checksum differences | | Timers | systemd timer | backup.timer + backup.service in /etc/systemd/system/ | Scheduled execution | systemctl enable backup.timer | systemctl list-timers, timer file | | Udev Rules | Device trigger | /etc/udev/rules.d/99-rk.rules → RUN+="/usr/bin/payload" | Triggered on USB/device insert | echo 'ACTION=="add", RUN+="/usr/bin/payload"' > rules | udevadm monitor shows execution, new rule file | | Journal Hooks | systemd-journald exec | systemd-journald supports ForwardToExec | Executes command on every log entry | Edit /etc/systemd/journald.conf | Diff in journald.conf, spawned processes | | Network | /etc/ld.so.preload | Add .so to preload for all binaries | Loaded on every ELF execution | echo '/usr/lib/librk.so' >> /etc/ld.so.preload | File presence, ldd anomalies | --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.zerohuntlabs.com/linux/linux-persistence.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.