Posts on Daniel Roberson

Linux Persistence: Modular Software

Thu, 17 Apr 2025 00:00:00 +0000

Introduction

A less common, but powerful persistence mechanism is abusing modular software. Many services, clients, and other tools support third-party modules or scripting extensions If one of these extensible services is running, an attacker may be able to introduce a malicious module–abusing it to persist on the system.

These types of attacks are harder to find–not because they’re deeply hidden, but because they’re situational and less commonly discussed. Not every host will be running Apache or Asterisk, but most will be running cron or systemd. As a result, defenders and automated security checks often overlook these services entirely.

Linux Persistence: Web Shells

Wed, 16 Apr 2025 00:00:00 +0000

Introduction

This post focuses on web shells on Linux systems, though many of the concepts apply to Windows/IIS environments as well–they’re just not covered here explicitly.

Web servers come in all shapes and sizes, with different languages, features, logging behavior, and configurations. These setups can very wildly depending on how clever (or careless, clueless, …) the systems administrators and developers are.

This guide doesn’t aim to cover web exploitation techniques–that’s a deep and complex topic on its own that many folks build entire careers around. Instead, this post focuses on what to look for after a web shell has been placed: how to detect it, and how to harden systems against web shell-based attacks.

Linux Persistence: Rootkits

Tue, 15 Apr 2025 00:00:00 +0000

Linux Persistence: Rootkits

Rootkits are one of the deepest and most complex forms of persistence. This post will only scratch the surface, but will walk through the main categories, techniques, and practical detection advice.

Rootkits focus on stealth, persistence, or both. Some are built solely to hide activity (processes, files, network activity), while others provide persistent backdoors or easy privilege escalation. Many rootkits provide both–providing a full-fledged post-exploitation solution.

While there are many techniques used to implement them, most rootkits fall into a few main categories: binary replacement, LD_PRELOAD and dynamic linker abuse, Loadable Kernel Modules (LKMs), and debugging/tracing framework abuse (ftrace, kprobes, eBPF).

Linux Persistence: Processes

Fri, 11 Apr 2025 00:00:00 +0000

Linux Persistence: Processes

Malware doesn’t appear on a system by magic. At some point in the attack chain, the adversary needs to spawn, inject into, or hijack a process. Whether it’s installing itself, poking around, or exfiltrating data, code has to run–and the vessel to run code is almost always a process.

This post covers how attackers can abuse processes for persistence on Linux and Unix-like systems. It isn’t a deep dive into process injection, evasion, or anti-forensics–those are entire topics on their own–but it does establish the foundation you need to understand how process-based persistence works and what signs defenders should look for.

Defanging Linux LKM Rootkits With cleanup_module()

Sat, 05 Apr 2025 00:00:00 +0000

Defanging Linux LKM Rootkits With cleanup_module()

I recently came across a Github repository that demonstrated a technique to degrade the integrity of EDR software by directly invoking cleanup logic common to Loadable Kernel Modules (LKMs).

After digging in and testing this for myself, I found the technique both sound and technically straightforward.

In short, every(?) LKM is defined by a struct module entry, which includes metadata about the module including things such as its name, status, versioning information, etc. One particularly interesting member of struct modules is exit, a pointer to the module’s destructor function. Regardless of what the original function is named in the module’s source code, it gets exported as a symbol symbol named "cleanup_module".

Linux Persistence: atd

Tue, 01 Apr 2025 00:00:00 +0000

Linux Persistence: atd and at Jobs

On Linux and Unix-like systems, the atd daemon allows users to schedule one-time command execution. It is similar to cron, but instead of recurring jobs, at runs a command once at a specified time in the future.

This system was far more common in a couple of decades ago in the days of actual shared, multi-user Unix systems. A sysadmin might need to reboot a machine or restart a service but see a dozen users actively working. Rather than booting everyone off the system, they could defer the action with at, scheduling it for midnight or some off-peak time. Users, too, might queue up resource-heavy jobs to run after hours out of courtesy to others on the system.

Linux Persistence: SSH

Sat, 29 Mar 2025 00:00:00 +0000

Linux Persistence: SSH

This is a long-form blog post about methods attackers use to achieve persistence by leveraging SSH on Linux and Unix-like systems. This post ended up being much longer than I originally anticipated–there are a ton of ways to establish persistence and enable lateral movement by abusing SSH.

Despite the length, I’ve probably still missed a few techniques. I’ll likely revisit this post over time as I come across new methods and better approaches.

Linux Hardening: SSH

Thu, 06 Mar 2025 00:00:00 +0000

Introduction

This is a basic guide to hardening OpenSSH systems with a focus on Debian and Ubuntu systems. Most of these settings will also work on other Linux distributions and Unix-like systems, but some topics such as removing the Debian banner or enabling unattended-upgrades are specific to these distributions. As such, you need to use your head when applying these settings; some may not work well for you as written or need to be altered to whatever distribution you are using.

Linux Anti-Forensics: Timestomping

Wed, 05 Mar 2025 00:00:00 +0000

What is Timestomping?

Timestomping is an anti-forensics technique used to modify the timestamps of files on the file system, allowing attackers to conceal when files were written or modifled. By changing timestamps an attacker can blend their malicious activity into the system, thus reducing the chances of detection during an investigation or casual observation.

Timestomping is mapped in the MITRE ATT&CK framework as T1070.006 and affects all modern operating systems.

An example scenario where timestomping may be employed:

Finding Bad with Linux Package Managers

Mon, 03 Mar 2025 00:00:00 +0000

Full-disclosure: I wrote about this on my previous blog https://dmfrsecurity.com/2020/02/25/finding-bad-with-package-managers/ and most of the content of this post is copied from this post. The dmfrsecurity.com blog will likely be decommissioned in the near future.

Introduction

Most Linux distributions use package managers (like RPM or dpkg) to streamline software installation and updates, making it easier to manage dependencies. A lesser-known but crucial feature provided by package managers is the ability to verify the integrity of the files installed by a package. This post will explore how to use package managers to uncover malware and persistence mechanisms on Linux systems.

Linux Persistence: Cron

Sun, 10 Nov 2024 00:00:00 +0000

Introduction to Cron Persistence

A very common tactic for persistence is to use the cron daemon. Cron is a service found on Linux and Unix-like operating systems that enables the users of a system to schedule arbitrary tasks to run in the future.

This technique is mapped in the MITRE ATT&CK framework as T1053.003.

Cron is an attractive choice for attackers and malware to use as persistence because it is almost always installed and active for all users of a system. If an attacker compromises a user or service account, chances are they can install cron jobs as that user.

Linux Persistence: Startup Scripts

Sun, 10 Nov 2024 00:00:00 +0000

Linux Persistence: Startup Scripts

A key feature of most operating systems is the ability to automatically run programs or scripts during startup, reboot, or state transitions (e.g., resuming from hibernation, connecting to a network).

Linux offers several mechanisms to handle this, including SysV-style init scripts, systemd units, and legacy init.d scripts:

systemd unit files can run programs at boot or on a schedule, similar to cron.
/etc/init.d scripts are invoked by the init process during early boot.

Linux Persistence: User Accounts

Sun, 27 Jun 2021 00:00:00 +0000

Overview

Using the existing logon facilities on a *nix host is a popular and straightforward method used by attackers to persist on a system. Once an attacker has compromised a set of credentials, they can log in as if they were an authorized user.

How attackers obtain credentials

Attackers can obtain valid credentials using several methods:

Default credentials. A system may come with a valid set of credentials configured out of the box. This practice is common in consumer equipment and virtual machine appliances. A classic example of a default credential is admin/admin.

Review: Adversarial Tradecraft in Cybersecurity

Tue, 15 Jun 2021 00:00:00 +0000

Book notes

This is my review of Adversarial Tradectaft in Cybersecurity: Offense versus defense in real-time computer conflict by Dan Borges.

I was excited when I heard that Dan was writing a book. I have played in several games alongside him and really enjoy working with him each time. I also make heavy use of gscript when I play these kinds of CTFs, which he was a co-author of. As soon as I saw it on sale on Amazon, I pre-ordered it.