Awesome Malware Persistence

A curated list of awesome malware persistence tools and resources.

Malware persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.Main article about malware persistence with more context and information.Contents

Techniques

Generic
Linux
macOS
Windows
Cloud
Firmware
Databases

Persistence Removal

Generic
Windows

Detection Testing

Generic
Linux
macOS
Windows

Prevention

macOS

Collection

Generic
Linux
macOS
Windows

TechniquesPersistence techniques and detection.Generic

MITRE ATT&CK tactic "TA0003 - Persistence" - Persistence tactic information in the MITRE ATT&CK framework.

Forensic Artifact repository - A free, community-sourced, machine-readable knowledge base of digital forensic artifacts.

Sigma rules - Repository of detection rules, covering persistence techniques as well. You can even use filters such as --filter tag=attack.persistence or specifically for one technique tag=attack.t1084.

Linux

Linux Malware Persistence with Cron - Blog post about Linux persistence using cron jobs.

Linux Persistence Techniques - List of persistence techniques.

Linux Red Team Persistence Techniques - List of persistence techniques.

PANIX - Persistence Against *NIX - Features - List of persistence techniques.

Linux Detection Engineering - A primer on persistence mechanisms - List of Linux persistence mechanisms.

ebpfkit - Rootkit leveraging eBPF.

TripleCross - Rootkit leveraging eBPF.

Linux LKM Persistence - Rootkit leveraging Linux loadable kernel module (LKM).

macOS

theevilbit's series "Beyond the good ol' LaunchAgents" - List of macOS persistence beyond just the LaunchDaemons or LaunchAgents.

KnockKnock - A persistence detection tool for macOS to scan for persistence mechanisms on macOS. Specific persistence locations are found in the plugins folder, e.g. LaunchItems or StartupScripts.

PoisonApple - Learn about various macOS persistence techniques by looking at the source code of PoisonApple.

How malware persists on macOS - List of macOS persistence mechanisms.

Windows

Hexacorn's blog - Blog series "Beyond good ol' Run key" covering a lot of Windows persistence mechanisms.

Autoruns - You can learn which Windows persistence mechanisms are checked by looking at the output of Autoruns on your own client. Categories and the different locations where things were found are seen in the output. A disassembly of Autoruns lists a subset of the entries which are scanned.

PowerShell implementation of Autoruns - Another way to find Windows persistence locations is to look at the source code of the PowerShell version of Autoruns. Bonus: A history of the covered persistence locations for each Autoruns version is found at the end of the module file too, which is so awesome!

Awesome Malware Persistence

A curated list of awesome malware persistence tools and resources.

Main article about malware persistence with more context and information.

Techniques
Persistence Removal
- Generic
- Windows
Detection Testing
- Generic
- Linux
- macOS
- Windows
Prevention
- macOS
Collection
- Generic
- Linux
- macOS
- Windows

Techniques

Persistence techniques and detection.

Generic

MITRE ATT&CK tactic "TA0003 - Persistence" - Persistence tactic information in the MITRE ATT&CK framework.
Forensic Artifact repository - A free, community-sourced, machine-readable knowledge base of digital forensic artifacts.
Sigma rules - Repository of detection rules, covering persistence techniques as well. You can even use filters such as --filter tag=attack.persistence or specifically for one technique tag=attack.t1084.

Linux

Linux Malware Persistence with Cron - Blog post about Linux persistence using cron jobs.
Linux Persistence Techniques - List of persistence techniques.
Linux Red Team Persistence Techniques - List of persistence techniques.
PANIX - Persistence Against *NIX - Features - List of persistence techniques.
Linux Detection Engineering - A primer on persistence mechanisms - List of Linux persistence mechanisms.
ebpfkit - Rootkit leveraging eBPF.
TripleCross - Rootkit leveraging eBPF.
Linux LKM Persistence - Rootkit leveraging Linux loadable kernel module (LKM).

macOS

theevilbit's series "Beyond the good ol' LaunchAgents" - List of macOS persistence beyond just the LaunchDaemons or LaunchAgents.
KnockKnock - A persistence detection tool for macOS to scan for persistence mechanisms on macOS. Specific persistence locations are found in the plugins folder, e.g. LaunchItems or StartupScripts.
PoisonApple - Learn about various macOS persistence techniques by looking at the source code of PoisonApple.
How malware persists on macOS - List of macOS persistence mechanisms.

Windows

Hexacorn's blog - Blog series "Beyond good ol' Run key" covering a lot of Windows persistence mechanisms.
Autoruns - You can learn which Windows persistence mechanisms are checked by looking at the output of Autoruns on your own client. Categories and the different locations where things were found are seen in the output. A disassembly of Autoruns lists a subset of the entries which are scanned.
PowerShell implementation of Autoruns - Another way to find Windows persistence locations is to look at the source code of the PowerShell version of Autoruns. Bonus: A history of the covered persistence locations for each Autoruns version is found at the end of the module file too, which is so awesome!