I heard about persistent reverse shells, and how in theory, they can stay indefinitely on the target's system, and how they can connect back to the host when the target's machine boots up, but how do reverse shells gain their persistence? Do they copy themselves to the Windows Startup folder, is there an external script which runs the program, or do write to a process?
Asked
Active
Viewed 3,598 times
3
-
1Your question is pretty broad. It depends. It could be that the reverse shell is embedded into a program, or an attacker could have just had remote code execution as a privileged user and installed a system service. It depends on the attack and the payload. Some attacks are really complex, others very simple. – nbering Nov 07 '18 at 00:34
2 Answers
7
They don't.
A reverse shell is just a technique to connect to and control a computer. On its own, a reverse shell has absolutely no persistence capabilities. In order to persist, it must be the payload of malware which does offer persistence. A few examples of how this can be done:
malicious software could be set to run automatically as a service
existing programs that are run periodically or once at boot could be modified
core components of the OS, such as the kernel and bootloader, could be modified
a common shared library could be replaced with a malicious one
These are only a few examples. There are many ways to establish persistence.
forest
- 66,706
- 20
- 212
- 270
-
Thanks for the answer, but I have a few questions: How does persistence happen, in other words what are the ways backdoors and other malware gain persistency? – Practical1 Nov 07 '18 at 00:30
-
2@Practical1 That's a different question and is entirely too broad. It could be an actual backdoor in an executable or kernel module, or a service scheduled to run. It could be a script put in an autorun directory. – forest Nov 07 '18 at 00:31
-
Yes, maybe the question is too broad, but: Q: "How do persistent reverse shells and other malware gain their persistancy?" A: "They don't. ... it must be the payload of malware which does offer persistence." Very fastidious. I don't think this answers the question. The question was not "Does malware have payload which does offer persistence" but ">How< ...". So for example these kind of payload is the interesting point here. – anion Dec 09 '22 at 21:17
2
There are numerous ways this can occur and these differ depending on your stack. Unfortunately there are too many to go through here - BUT what I would suggest if you are interested in this sort of thing (and it is extremely interesting) is that you go the the Mitre ATT&CK site and look over the category marked persistence for practical examples.
The short of it is things like tasks or applications that run quite often can have certain flaws in them that will allow malicious code to be executed giving persistence. Why on windows you can use WMI events to maintain persistence every time the user opens chrome if you want.
McMatty
- 3,270
- 1
- 9
- 16