Logo
RSS Feed

👈🏼 Back to
⚔️ Attacks DB

Persistence and Escalation Mechanisms

Collection

*There are a lot of techniques to become persistent on a Windows machine. You can refer to the persistence and escalation mechanisms article or look those up on the MITRE website. Although it’s important to know the artefacts themselves and the technique, it would be hard to collect them all manually. *

BIOS Persistence

This is about … .

Boot Abuse

Linux Init is the process that spawns other processes and usually has pid 1. /etc/inittab can be used to set run level for the systems.

Config Abuse

Some persistence and escalation techniques don’t require an exploit but only a little tweaking of some config.

Elevation Control Abuse

Linux & macOS setuid and setgid Platforms: macOS, Linux MITRE: https://attack.mitre.org/techniques/T1548/001/ setuid or setgid bits set in UNIX.

IPC

This is about … .

Kernel

Linux LKM LKM for Linux. Drivers are one type of kernel extentions. XDG https://attack.mitre.org/techniques/T1547/013/ macOS kext kext for macOS.

Library Abuse

Windows DLL Search Order Hijacking 👑 - require w permissions for Windows and Windows\System32. Detection:

Services

Services can be abused differently but are often used as escalation and persistence mechanisms.

Tasks Abuse

Windows ❗️ Both at and schtasks.exe can create tasks remotely. 🏺 Artefacts: 🪵 Event Log: Task Scheduler Operational.

Tokens Misuse

MITRE: https://attack.mitre.org/techniques/T1134/001/, https://attack.mitre.org/techniques/T1134/, https://attack.mitre.org/techniques/T1134/002/, https://attack.mitre.org/techniques/T1134/003/, https://attack.mitre.org/techniques/T1134/004/, https://attack.mitre.org/techniques/T1134/005/ Actors: https://attack.mitre.org/groups/G0032/ Techniques: Token impersonalisation. runas or CreateProcessWithTokenW to create a process with the rights of another user.