update lists

html/malwarepersistence.html

@@ -23,25 +23,33 @@ information.</p>
 <li><a href="#linux">Linux</a></li>
 <li><a href="#macos">macOS</a></li>
 <li><a href="#windows">Windows</a></li>
+<li><a href="#cloud">Cloud</a></li>
 <li><a href="#firmware">Firmware</a></li>
+<li><a href="#databases">Databases</a></li>
 </ul></li>
 <li><a href="#persistence-removal">Persistence Removal</a>
 <ul>
 <li><a href="#generic-1">Generic</a></li>
 <li><a href="#windows-1">Windows</a></li>
 </ul></li>
-<li><a href="#detection-testing">Detection Testing</a></li>
-<li><a href="#prevention">Prevention</a>
-<ul>
-<li><a href="#macos-1">macOS</a></li>
-</ul></li>
-<li><a href="#collection">Collection</a>
+<li><a href="#detection-testing">Detection Testing</a>
 <ul>
 <li><a href="#generic-2">Generic</a></li>
 <li><a href="#linux-1">Linux</a></li>
-<li><a href="#macos-2">macOS</a></li>
+<li><a href="#macos-1">macOS</a></li>
 <li><a href="#windows-2">Windows</a></li>
 </ul></li>
+<li><a href="#prevention">Prevention</a>
+<ul>
+<li><a href="#macos-2">macOS</a></li>
+</ul></li>
+<li><a href="#collection">Collection</a>
+<ul>
+<li><a href="#generic-3">Generic</a></li>
+<li><a href="#linux-2">Linux</a></li>
+<li><a href="#macos-3">macOS</a></li>
+<li><a href="#windows-3">Windows</a></li>
+</ul></li>
 </ul>
 <h2 id="techniques">Techniques</h2>
 <p><em>Persistence techniques and detection.</em></p>
@@ -71,10 +79,22 @@ Persistence Techniques</a> - List of persistence techniques.</li>
 href="https://www.linode.com/docs/guides/linux-red-team-persistence-techniques/">Linux
 Red Team Persistence Techniques</a> - List of persistence
 techniques.</li>
+<li><a
+href="https://github.com/Aegrah/PANIX?tab=readme-ov-file#features">PANIX
+- Persistence Against *NIX - Features</a> - List of persistence
+techniques.</li>
+<li><a
+href="https://www.elastic.co/security-labs/primer-on-persistence-mechanisms">Linux
+Detection Engineering - A primer on persistence mechanisms</a> - List of
+Linux persistence mechanisms.</li>
 <li><a href="https://github.com/Gui774ume/ebpfkit">ebpfkit</a> - Rootkit
 leveraging eBPF.</li>
 <li><a href="https://github.com/h3xduck/TripleCross">TripleCross</a> -
 Rootkit leveraging eBPF.</li>
+<li><a
+href="https://righteousit.com/2024/11/18/linux-lkm-persistence/">Linux
+LKM Persistence</a> - Rootkit leveraging Linux loadable kernel module
+(LKM).</li>
 </ul>
 <h3 id="macos">macOS</h3>
 <ul>
@@ -167,6 +187,18 @@ href="https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-
 for persistence via Microsoft Exchange Server or Outlook</a> - Blog post
 about Microsoft Exchange server persistence.</li>
 </ul>
+<h3 id="cloud">Cloud</h3>
+<ul>
+<li><a
+href="https://www.obsidiansecurity.com/blog/shadow-linking-the-persistence-vector-of-saas-identity-threat/">Shadow
+Linking: The Persistence Vector of SaaS Identity Threat</a> - Abuse of
+additional identity providers to persist in an environment.</li>
+<li><a
+href="https://dirkjanm.io/persisting-with-federated-credentials-entra-apps-managed-identities/">Persisting
+on Entra ID applications and User Managed Identities with Federated
+Credentials</a> - Persist on Entra ID applications and User Managed
+Identities with Federated Credentials.</li>
+</ul>
 <h3 id="firmware">Firmware</h3>
 <ul>
 <li><a
@@ -174,6 +206,13 @@ href="https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468">M
 the dark side of UEFI firmware</a> - An in-depth write up about one
 particular UEFI bootkit.</li>
 </ul>
+<h3 id="databases">Databases</h3>
+<ul>
+<li><a
+href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-attack-vector-database-triggers-as-persistence-mechanisms/">Database
+Triggers as Persistence Mechanisms</a> - An in-depth write up about
+database triggers providing persistence.</li>
+</ul>
 <h2 id="persistence-removal">Persistence Removal</h2>
 <p><em>Tools and commands for persistence mechanisms removal. Beside the
 tools mentioned below, use standard OS commands to remove the
@@ -204,24 +243,40 @@ evasion.</li>
 href="#persistence-techniques">Persistence Techniques</a> to create
 these files or add the configuration changes by hand to test your
 detections.</em></p>
+<h3 id="generic-2">Generic</h3>
 <ul>
 <li><a href="https://github.com/redcanaryco/atomic-red-team">Atomic Red
 Team</a> - Atomic Red Team supports also the MITRE ATT&amp;CK
 persistence techniques, see e.g. <a
 href="https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1044/T1044.yaml">T1044
 “File System Permissions Weakness”</a>.</li>
+</ul>
+<h3 id="linux-1">Linux</h3>
+<ul>
+<li><a href="https://github.com/Aegrah/PANIX">PANIX</a> - A highly
+customizable Linux persistence tool. Perform various persistence
+techniques against Linux systems, among others Debian and RHEL.</li>
+<li><a href="https://github.com/m0nad/Diamorphine">Diamorphine</a> - A
+loadable kernel module (LKM) rootkit for Linux Kernels (x86/x86_64 and
+ARM64).</li>
+</ul>
+<h3 id="macos-1">macOS</h3>
+<ul>
+<li><a
+href="https://github.com/CyborgSecurity/PoisonApple">PoisonApple</a> -
+Perform various persistence techniques on macOS.</li>
+</ul>
+<h3 id="windows-2">Windows</h3>
+<ul>
 <li><a
 href="https://github.com/hasherezade/persistence_demos">hasherezade
 persistence demos</a> - Various (also non standard) persistence methods
 used by malware for testing own detection, among others COM hijacking
 demo is found in the repo.</li>
-<li><a
-href="https://github.com/CyborgSecurity/PoisonApple">PoisonApple</a> -
-Perform various persistence techniques on macOS.</li>
 </ul>
 <h2 id="prevention">Prevention</h2>
 <p><em>Tools for preventing malicious persistence.</em></p>
-<h3 id="macos-1">macOS</h3>
+<h3 id="macos-2">macOS</h3>
 <ul>
 <li><a href="https://github.com/objective-see/BlockBlock">BlockBlock</a>
 - A tool which provides continual protection by monitoring persistence
@@ -230,7 +285,7 @@ blocking.</li>
 </ul>
 <h2 id="collection">Collection</h2>
 <p><em>Tools for persistence collection.</em></p>
-<h3 id="generic-2">Generic</h3>
+<h3 id="generic-3">Generic</h3>
 <ul>
 <li><a href="https://github.com/Cugu/awesome-forensics">Awesome
 Forensics</a> - Use the tools from this list which includes awesome free
@@ -242,7 +297,7 @@ persistence mechanisms on clients.</li>
 <li><a href="https://github.com/ossec/ossec-hids">OSSEC</a> - Use rules
 and logs from the HIDS to detection configuration changes.</li>
 </ul>
-<h3 id="linux-1">Linux</h3>
+<h3 id="linux-2">Linux</h3>
 <p><em>There is no dedicated persistence collection tool for Linux I’m
 aware of. Use some of the tools from #General or standard OS commands
 for collection. Thanks for contributing links to Linux specific
@@ -254,7 +309,7 @@ monitor your Linux installation for security-related events or for an
 investigation. Among other finding systemd unit files used for malware
 persistence.</li>
 </ul>
-<h3 id="macos-2">macOS</h3>
+<h3 id="macos-3">macOS</h3>
 <ul>
 <li><a
 href="https://www.objective-see.com/products/knockknock.html">KnockKnock</a>
@@ -269,7 +324,7 @@ or have been hijacked. See <a
 href="https://github.com/objective-see/DylibHijackScanner">GitHub
 repository too for the source code</a>.</li>
 </ul>
-<h3 id="windows-2">Windows</h3>
+<h3 id="windows-3">Windows</h3>
 <ul>
 <li><a
 href="http://technet.microsoft.com/en-us/sysinternals/bb963902">Autoruns</a>
@@ -317,3 +372,6 @@ repository auditing</a> module.</li>
 <h2 id="contributing">Contributing</h2>
 <p>Contributions welcome! Read the <a
 href="CONTRIBUTING.md">contribution guidelines</a> first.</p>
+<p><a
+href="https://github.com/Karneades/awesome-malware-persistence">malwarepersistence.md
+Github</a></p>