![osquery daemon and shell osquery daemon and shell](https://i.ytimg.com/vi/ZPY8sxU_miY/maxresdefault.jpg)
etc/update-motd.d # recursive: true 10.4 Looking for suspicious processes Similar to the discussion we had in the the previous blogpost regarding systemd services, the default configuration of auditbeat will monitor /etc/init.d in it’s file integrity monitoring module.Įither set recursive: true or add /etc/init.d This is pretty straightforward, just create an executable script Systemd-rc-local-generator is a generator that checks whether /etc/rc.local exists and is executable, and if it is, pulls the rvice unit into the boot process.Īs long as systemd-rc-local-generator is included in the current version of systemd, then /etc/rc.local will run on boot. The exectuable for this can be found in /usr/lib/systemd/system-generators/systemd-rc-local-generator ( source code) For example we have the systemd-rc-local-generator. However, there exists compatibility exes in systemd called systemd-generator. This is because they have migrated to using systemd for init scripts. You might have noticed that newer version of linux distributions no longer have /etc/rc.local.
![osquery daemon and shell osquery daemon and shell](https://driverxdw.github.io/2020/10/28/Osquery%E6%A3%80%E6%B5%8B%E6%A1%86%E6%9E%B6%E5%88%9D%E6%8E%A2/image-20201029111821393.png)
Modify Authentication Process: Pluggable Authentication Modules.(WIP) Hunting for Persistence in Linux (Part 6): Rootkits, Compromised Software, and Others.12 - Boot or Logon Initialization Scripts: systemd-generators.Hunting for Persistence in Linux (Part 5): Systemd Generators.11 - Event Triggered Execution: Unix Shell Configuration Modification.10 - Boot or Logon Initialization Scripts: motd.9 - Boot or Logon Initialization Scripts: init.d.8 - Boot or Logon Initialization Scripts: RC Scripts.Hunting for Persistence in Linux (Part 4): Initialization Scripts and Shell Configuration.5 - Create or Modify System Process: Systemd Service.Hunting for Persistence in Linux (Part 3): Systemd, Timers, and Cron.4 - Account Manipulation: SSH Authorized Keys.Hunting for Persistence in Linux (Part 2): Account Creation and Manipulation.1 - Server Software Component: Web Shell.Hunting for Persistence in Linux (Part 1): Auditing, Logging and Webshells.If you need help how to setup auditd, sysmon and/or auditbeats, you can try following the instructions in the appendix in part 1. We will give some example commands on how to implement these persistence techinques and how to create alerts using open-source solutions such as auditd, sysmon and auditbeats. Event Triggered Execution: Unix Shell Configuration Modification.Boot or Logon Initialization Scripts: motd.Boot or Logon Initialization Scripts: init.d.Boot or Logon Initialization Scripts: RC Scripts.The topics discussed here are the following: This is special files outside systemd services and timers. In this blogpost, we’ll be discussing some scripts that attackers can install or modify that will execute on boot or logon.
![osquery daemon and shell osquery daemon and shell](https://i0.wp.com/blog.trailofbits.com/wp-content/uploads/2017/10/5.png)