Linux Persistence
The table provides a structured overview of common Linux persistence mechanisms used by attackers after initial access. Each row maps a persistence category, the technique used, how it is implemented, how it is triggered, and—most importantly—what indicators defenders (Blue Team) can monitor to detect or investigate malicious activity.
Rather than focusing on exploitation, the table helps security teams understand where persistence hides, how it survives reboots, and which system artifacts reveal compromise.
Category
Technique
What is done
How it triggers
Tools / Command
Indicators for Blue Team
Init System
systemd service
Create a unit file /etc/systemd/system/backup.service → ExecStart=/usr/bin/payload, WantedBy=multi-user.target
systemd starts it at boot
systemctl enable backup.service
systemctl list-units, journalctl -u, new file in /etc/systemd/system
Init System
rc.local
Add line /usr/bin/payload & to /etc/rc.local
rc.local runs at boot (SysV)
echo '/usr/bin/payload &' >> /etc/rc.local; chmod +x /etc/rc.local
Modified rc.local timestamp, new process at boot
Cron
cron @reboot
echo '@reboot root /usr/bin/payload' >> /etc/cron.d/sys-upd
Cron executes on every reboot
crontab -e or file in /etc/cron.d
cat /var/spool/cron, grep payload in crontab
Cron
Hidden interval
*/30 * * * * root /tmp/.x/payload in /etc/crontab
Executes every 30 minutes
echo '*/30 * * * * root...' >> /etc/crontab
Suspicious path in crontab, /var/log/cron logs
User-level
Shell init files
Add bash -c /home/user/.cache/.p to ~/.bashrc / ~/.profile
Loaded on interactive shell / login
echo 'bash -c ~/.cache/.p &' >> ~/.bashrc
Diff of ~/.bashrc; ps aux
User-level
~/.config/autostart (Desktop)
payload.desktop in ~/.config/autostart/ → Exec=/usr/bin/payload
Starts on X11/Wayland session
Create desktop file
.desktop file with suspicious Exec entry
Kernel Modules
Loadable LKM
Compile and load insmod rk.ko; add to /etc/modules-load.d/rk.conf
Module loads at boot
insmod, modprobe rk.ko
New module in lsmod, dmesg load messages
LD_PRELOAD
libc hijack
Set export LD_PRELOAD=/usr/lib/libhijack.so in /etc/profile
Every dynamic binary loads the .so
Edit /etc/profile
Check env vars, ldd shows injected .so
Pluggable Auth
PAM backdoor
Add auth optional pam_exec.so /usr/bin/payload to /etc/pam.d/sshd
Every SSH login triggers payload
Edit pam.d
Diff /etc/pam.d/*; auth.log shows execution
SSH
Authorized_keys
Insert attacker public key into ~/.ssh/authorized_keys
Enables passwordless login
echo 'ssh-rsa AAAA...' >> ~/.ssh/authorized_keys
New key fingerprint, wtmp/lastlog entries
SSH
Backdoored sshd
Recompile OpenSSH with backdoor, replace /usr/sbin/sshd
Daemon starts normally
make && cp sshd /usr/sbin/
Checksum mismatch, package verification fails
System Binaries
PATH hijack
Create malicious /usr/local/bin/ssh earlier in PATH
ssh command resolves to fake binary
Place fake binary; chmod +x
which ssh, checksum differences
Timers
systemd timer
backup.timer + backup.service in /etc/systemd/system/
Scheduled execution
systemctl enable backup.timer
systemctl list-timers, timer file
Udev Rules
Device trigger
/etc/udev/rules.d/99-rk.rules → RUN+="/usr/bin/payload"
Triggered on USB/device insert
echo 'ACTION=="add", RUN+="/usr/bin/payload"' > rules
udevadm monitor shows execution, new rule file
Journal Hooks
systemd-journald exec
systemd-journald supports ForwardToExec
Executes command on every log entry
Edit /etc/systemd/journald.conf
Diff in journald.conf, spawned processes
Network
/etc/ld.so.preload
Add .so to preload for all binaries
Loaded on every ELF execution
echo '/usr/lib/librk.so' >> /etc/ld.so.preload
File presence, ldd anomalies
Last updated