awesome-malware-persistence
A curated list of awesome malware persistence tools and resources.
https://github.com/Karneades/awesome-malware-persistence
Last synced: about 3 hours ago
JSON representation
-
Techniques
-
Generic
- MITRE ATT&CK tactic "TA0003 - Persistence" - MITRE ATT&CK tactic "TA0003 - Persistence".
- Sigma rules - Sigma rules which covers persistence techniques. You can even use filters such as `--filter tag=attack.persistence` or specifically for one technique `tag=attack.t1084`.
- forensic artifact repository - Forensic artifact repository covers persistence techniques in their artifacts.
-
Linux
- Linux Malware Persistence with Cron - Blog post about linux persistence using cron jobs.
- Linux Persistence Techniques - List of persistence techniques.
- Linux Red Team Persistence Techniques - List of persistence techniques.
- ebpfkit - Rootkit leveraging eBPF.
- TripleCross - Rootkit leveraging eBPF.
- Linux LKM Persistence - Rootkit leveraging Linux loadable kernel module (LKM).
- PANIX - Persistence Against *NIX - Features - List of persistence techniques.
- Linux Detection Engineering - A primer on persistence mechanisms - List of Linux persistence mechanisms.
-
macOS
- theevilbit's series "Beyond the good ol' LaunchAgents" - List of macOS persistence beyond just the LaunchDaemons or LaunchAgents.
- KnockKnock - A persistence detection tool for macOS to scan for persistence mechanisms on macOS. Specific persistence locations are found in the [plugins](https://github.com/objective-see/KnockKnock/tree/main/Plugins) folder, e.g. [LaunchItems](https://github.com/objective-see/KnockKnock/blob/main/Plugins/LaunchItems.m#L21) or [StartupScripts](https://github.com/objective-see/KnockKnock/blob/main/Plugins/StartupScripts.m#L22).
- PoisonApple - Learn about various macOS persistence techniques by looking at the source code of PoisonApple.
- How malware persists on macOS - List of macOS persistence mechanisms.
-
Windows
- Hexacorn's blog - Hexacorn's blog category for persistence category including the series "Beyond good ol' Run key".
- Autoruns - You can learn which Windows persistence mechanisms are checked by looking at the output of Autoruns on your own client. Categories and the different locations where things were found are seen in the output. A disassembly of Autoruns lists a subset of the entries which are scanned.
- PowerShell implementation of Autoruns - Another way to find Windows persistence locations is to look at the source code of the PowerShell version of Autoruns. Bonus: A history of the covered persistence locations for each Autoruns version is found at the end of the module file too, which is so awesome!
- Malware persistence techniques - Good summary of multiple persistence mechanisms, ranging from multiple registry keys to more advanced one, like COM hijacking.
- Detecting & Removing an Attacker's WMI Persistence - Blog post about detecting and removing WMI persistence.
- Windows Persistence using WinLogon - Blog post about abusing WinLogon.
- Untangling Kovter's persistence methods - Blog post about Kovter's persistens methos, among others, hiding in registry. Another one is [Threat Spotlight: Kovter Malware Fileless Persistence Mechanism](https://threatvector.cylance.com/en_us/home/threat-spotlight-kovter-malware-fileless-persistence-mechanism.html).
- Uncovering a MyKings Variant With Bootloader Persistence via Managed Detection and Response - Blog post about bootloader persistence.
- COM Object hijacking: the discreet way of persistence, 2014
- Abusing COM hijacking in combination with scheduled tasks, 2016
- Hunting for persistence via Microsoft Exchange Server or Outlook - Blog post about Microsoft Exchange server persistence.
- Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe - Blog post about abusing GlobalFlag for process execution.
- Common malware persistence mechanisms - Different persistence mechanisms for different vectors are described.
- Persistence – COM Hijacking, 2020
-
Firmware
- MoonBounce: the dark side of UEFI firmware - An in-depth write up about one particular UEFI bootkit.
-
Cloud
- Shadow Linking: The Persistence Vector of SaaS Identity Threat - Abuse of additional identity providers to persist in an environment.
-
-
Persistence Removal
-
Generic
- Awesome Incident Response - Use the tools and resources for security incident response, aimed to help security analysts and DFIR teams.
-
Windows
- Removing Backdoors – Powershell Empire Edition - Various blog posts handle the removal of WMI implants.
- RegDelNull - Removal of registry keys with null bytes - used e.g. in run keys for evasion.
- PowerSponse - PowerSponse includes various commands for cleanup of persistence mechanisms.
-
-
Collection
-
Generic
- osquery - Query persistence mechanisms on clients.
- Awesome Forensics - Use the tools from this list which includes awesome free (mostly open source) forensic analysis tools and resources. They help collecting the persistence mechanisms at scale, e.g. by using remote forensics tools.
- OSSEC - Use rules and logs from the HIDS to detection configuration changes.
-
macOS
- KnockKnock - A tool to uncover persistently installed software in order to generically reveal such malware. See [GitHub repository too for the source code](https://github.com/objective-see/KnockKnock).
- Dylib Hijack Scanner or DHS - A simple utility that will scan your computer for applications that are either susceptible to dylib hijacking or have been hijacked. See [GitHub repository too for the source code](https://github.com/objective-see/DylibHijackScanner).
-
Windows
- Autoruns - A powerful persistence collection tool on Windows is Autoruns. It collects different categories and persistence information from a live system and [in
- AutorunsToWinEventLog.ps1 - Instead of using CSV output and copy these file to the server, you can use the AutorunsToWinEventLog script to convert the Autoruns output to Windows event logs and rely on standard Windows event log forwarding.
- RegRipper - Extracts various persistence mechanisms from the registry files directly.
- KAPE - The tool allows collecting various predefined artifactgs using targets and modules, see [KapeFiles](https://github.com/EricZimmerman/KapeFiles) which include persistence mechanisms, among others there's a collection of [LNK files](https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Windows/LNKFilesAndJumpLists.tkape), [scheduled task files](https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Windows/ScheduledTasks.tkape) and [scheduled task listing](https://github.com/EricZimmerman/KapeFiles/blob/master/Modules/LiveResponse/schtasks.mkape) or a [WMI repository auditing](https://github.com/EricZimmerman/KapeFiles/blob/master/Modules/LiveResponse/WMI-Repository-Auditing.mkape) module.
-
Linux
- Linux Security and Monitoring Scripts - Security and monitoring scripts you can use to monitor your Linux installation for security-related events or for an investigation. Among other finding systemd unit files used for malware persistence.
-
-
Detection Testing
-
Windows
- Atomic Red Team - Atomic Red Team supports also the MITRE ATT&CK persistence techniques, see e.g. [T1044 "File System Permissions Weakness"](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1044/T1044.yaml).
- hasherezade persistence demos - Various (also non standard) persistence methods used by malware for testing own detection, among others COM hijacking demo is found in the repo.
- PoisonApple - Perform various persistence techniques on macOS.
-
-
Prevention
-
macOS
- BlockBlock - A tool which provides continual protection by monitoring persistence locations and protects them accordingly. Similar to KnockKnock but for blocking.
-
Programming Languages
Sub Categories
Keywords
security
4
persistence
2
dfir
2
incident-response
2
ebpf
2
kernel
2
linux
2
rootkit
2
backdoor
2
mitre
1
remediation
1
powershell-modules
1
powershell
1
containment
1
cleanup
1
libbpf
1
runtime-security
1
linux-kernel-hacking
1
linux-kernel
1
list
1
incident-response-tooling
1
cybersecurity
1
awesome-list
1
awesome
1
unix
1
shell
1
security-research
1
panix
1
detection-engineering
1
bash
1
policy-monitoring
1
pci-dss
1
ossec
1
nist800-53
1
loganalyzer
1
intrusion-detection
1
hids
1
fim
1
file-integrity-management
1
compliance
1
open-source
1
free
1
forensic-analysis
1
digital-forensics
1
computer-forensics
1
macos
1
mitre-attack
1