Aegrah's Linux Persistence Honed Assistant
Short introduction (purple team fashion, used to detect engineering, but can also be used for penetration testing purposes). Not built as a stealthy tool.
Systems it runs on (Debian/Fedora etc.)
List of publications in which this tool is used in a purple teaming fashion:
Share ALPHA ...
Disclaimer here..
References here..
### Persistence methods
- [ ] sudo hijacking
- [ ] Shared object hooking
- [ ] web shell --> ask user input? Or php/asp(x) etc.?
- [ ] Dynamic Linker Hijacking, add to ld.so.preload (LD_PRELOAD)
- [ ] LKM
- [ ] ICMP backdoor https://github.com/droberson/icmp-backdoor
- [ ] git backdooring https://hadess.io/the-art-of-linux-persistence/
- [ ] PAM module https://attack.mitre.org/techniques/T1556/003/, https://rosesecurityresearch.com/crafting-malicious-pluggable-authentication-modules-for-persistence-privilege-escalation-and-lateral-movement
- [ ] Maybe's:
- [ ] symlinks somehow
- [ ] chroot environments
- [ ] rogue container
- [ ] port knocking
- [ ] malicious dpkg package?
- [ ] Trap signal https://attack.mitre.org/techniques/T1546/005/
- [ ] init/kernel level; ls24
- [ ] Make it executable in memory