BIPI
BIPI

Linux Persistence Techniques That Survive Reboot and EDR

Cybersecurity

An operator focused tour of Linux persistence, from systemd units and SSH key drops to LD_PRELOAD hooks, and which techniques modern Linux EDR actually catches.

By Arjun Raghavan, Security & Systems Lead, BIPI · March 26, 2025 · 11 min read

#linux#persistence#redteam#edr#systemd

Persistence is a separate phase

Privilege escalation and persistence are different skills with different detections. The persistence technique you pick depends on how much noise you can tolerate, how long the engagement runs, and which Linux EDR the customer has deployed.

User space basics

  • Drop a public key into authorized_keys, simple and often missed
  • Append a malicious alias or function to bashrc or zshrc
  • Add a line to /etc/profile.d for system wide shell hooks
  • .bash_logout for code that runs when the user exits
  • MOTD scripts in /etc/update-motd.d run on SSH login

systemd services and timers

A systemd service unit with Restart=always survives reboot and recovers from process kills. Pair with a timer for a beacon style callback. User units in ~/.config/systemd/user run without root if lingering is enabled with loginctl enable-linger.

Cron variants

  • User crontab via crontab -e, lives in /var/spool/cron
  • /etc/cron.d drop in files, root only by default
  • @reboot directives for one shot persistence at boot
  • anacron for systems that are not always on

Init and shell hooks

On older distros, /etc/rc.local still runs at boot. On systemd era distros, it is often disabled but the unit can be re enabled. /etc/profile, /etc/environment, and /etc/bash.bashrc are all loaded by interactive shells. Each is a persistence option with different visibility.

Kernel modules

  • A loadable kernel module gives the deepest hooks and the loudest signal
  • Diamorphine and Reptile are public rootkits, easy for defenders to fingerprint
  • Custom modules require kernel headers and careful version matching
  • Module signing on newer distros blocks unsigned loads unless secure boot is off

PAM modules

A custom PAM module can log every password or grant access on a magic string. Drop into /lib/security or /usr/lib/x86_64-linux-gnu/security and add a line to /etc/pam.d/sshd. Detected by file integrity monitoring but rarely watched.

What EDR actually catches

  • CrowdStrike Falcon for Linux flags ld.so.preload and new SUID binaries
  • SentinelOne for Linux watches systemd unit drops in non standard paths
  • Microsoft Defender for Endpoint on Linux monitors crontab and cron.d writes
  • Falco rules cover most of the above, plus kernel module loads
  • auditd with the Linux Audit ruleset catches new files in /etc and /lib

Quieter techniques

  1. SSH ForceCommand in sshd_config for a specific key
  2. Git hook on a developer repo that is pulled in CI
  3. Override an existing systemd unit via a drop in at /etc/systemd/system/foo.service.d
  4. Modify a binary in /usr/local/bin that is invoked by an existing cron
On a mature Linux fleet, the persistence that survives is the persistence that looks like normal admin activity.

Cleanup matters

Document every persistence artifact you create. At the end of the engagement, remove them with the customer watching. Leaving a dropper behind because you forgot is the fastest way to lose a customer and a reference.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.