Logo
RSS Feed

👈🏼 Back to
Persistence and Escalation Mechanisms

Kernel

Created: 03.06.2023

Linux

LKM

LKM for Linux. Drivers are one type of kernel extentions.

XDG

https://attack.mitre.org/techniques/T1547/013/

macOS

kext

kext for macOS. kextload and kextunload. These need to be signed with a cert approved by Apple. Otherwise, to launch the app one needs to disable SIP. That’s probably the reason why the RAM cannot be dumped on macOS with SIP enabled. Replaced by System Extentions but still can be used.

reopen

Remember the “Reopen windows when logging back in” prompt on macOS? When selected, all applications currently open are added to a property list file named com.apple.loginwindow.[UUID].plist within the ~/Library/Preferences/ByHost directory. Applications listed in this file are automatically reopened upon the user’s next logon.

Windows

LSASS driver

Shortcuts

Abuse shortcuts in the startup folder to execute their tools and achieve persistence

Port Monitors

  1. AddMonitor API call. spoolsv.exe runs under SYSTEM privileges.
  2. HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors (option #2)
    1. Local Port
    2. Standard TCP/IP Port
    3. USB Monitor
    4. WSD Port

Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe (SYSTEM permissions, during boot.

  1. AddPrintProcessor for account with SeLoadDriverPrivilege flag set.
  2. adding the HKLM\SYSTEM\[CurrentControlSet or ControlSet001]\Control\Print\Environments\[Windows architecture: e.g., Windows x64]\Print Processors\[user defined]\Driver Registry key that points to the DLL.

References

Expand…
  1. Wardle, Patrick. The Art of Mac Malware
  2. PEASS, detect possible PE vectors on a W/L/M machine.
  3. GTFOBins, https://gtfobins.github.io/