Malware Persistence

A free, community-sourced, machine-readable knowledge base of digital forensic artifacts.

Repository of detection rules, covering persistence techniques as well. You can even use filters such as --filter tag=attack.persistence or specifically for one technique tag=attack.t1084.

Rootkit leveraging eBPF.

Rootkit leveraging eBPF.

Access persistence tool for AWS. The corresponding article describes the techniques adversaries can use to hide themselves within a cloud environment and its AWSDoor implementation to simplify and automate the deployment of persistence techniques in AWS environments.

A highly customizable Linux persistence tool. Perform various persistence techniques against Linux systems, among others Debian and RHEL.

A loadable kernel module (LKM) rootkit for Linux Kernels (x86/x86_64 and ARM64).

Perform various persistence techniques on macOS.

A red team attack techniques framework supporting also the MITRE ATT&CK persistence techniques, see e.g. T1044 "File System Permissions Weakness".

Various (also non standard) persistence methods used by malware for testing own detection, among others COM hijacking demo is found in the repo.

A tool to uncover persistently installed software in order to generically reveal such malware. See GitHub repository too for the source code.

A simple utility that will scan your computer for applications that are either susceptible to dylib hijacking or have been hijacked. See GitHub repository too for the source code.

A PowerShell version of Autoruns.

Instead of using CSV output and copy these file to the server, you can use the AutorunsToWinEventLog script to convert the Autoruns output to Windows event logs and rely on standard Windows event log forwarding.

Powershell module to hunt for persistence implanted in Windows machines.

Extracts various persistence mechanisms from the registry files directly.

Extract various persistence mechanisms, e.g. by using the config file UserClassesASEPs to extract user's CLSID information.

The tool allows collecting various predefined artifactgs using targets and modules, see KapeFiles which include persistence mechanisms, among others there's a collection of LNK files, scheduled task files and scheduled task listing or a WMI repository auditing module.

A Python-based offline Windows persistence detection tool. Point it at a KAPE dump, a Velociraptor collection, or a mounted disk image and get offline Windows persistence detection. Runs on Windows, Linux, and macOS.

Use the tools from this list which includes awesome free (mostly open source) forensic analysis tools and resources. They help collecting the persistence mechanisms at scale, e.g. by using remote forensics tools.

Use rules and logs from the HIDS to detection configuration changes.

Security and monitoring scripts you can use to monitor your Linux installation for security-related events or for an investigation. Among other finding systemd unit files used for malware persistence.

Use the tools and resources for security incident response, aimed to help security analysts and DFIR teams.

A incident response tool covering various commands for cleanup of persistence mechanisms as well.

A tool which provides continual protection by monitoring persistence locations and protects them accordingly. Similar to KnockKnock but for blocking.