Daniel Roberson - shell function as userland rootkit

Posts
About
Notes
Projects
Posts

About

Notes

Projects

shell function as userland rootkit

0001-01-01

shell functions can be used as a crude userland rootkit. Attackers can add functions to the shell with the same name as certain system commands (ls, find, netstat, …) that filter out IoCs related to the attacker.

Links to this note

chaos-lang2023

shell function as userland rootkit

0001-01-01

Links to this note

Recent Posts

Linux Hardening: SSH

2025-03-06 DFIR SSH hardening linux hardening SSH PAM

Linux Anti-Forensics: Timestomping

2025-03-05 DFIR linux anti-forensics

Finding Bad with Linux Package Managers

2025-03-03 DFIR linux persistence

Linux Persistence: Startup Scripts

2024-11-10 DFIR CTF linux persistence systemd SysV init startup script

Linux Persistence: Cron

2024-11-10 DFIR CTF linux persistence cron