update

2025-07-18 23:13:11 +02:00
parent c9485bf576
commit 652812eed0
2354 changed files with 1266414 additions and 1 deletions
--- a/html/malwarepersistence.md2.html
+++ b/html/malwarepersistence.md2.html
@@ -0,0 +1,377 @@
+<h1 id="awesome-malware-persistence-awesome">Awesome Malware Persistence
+<a href="https://github.com/sindresorhus/awesome"><img
+src="https://awesome.re/badge.svg" alt="Awesome" /></a></h1>
+<blockquote>
+<p>A curated list of awesome malware persistence tools and
+resources.</p>
+</blockquote>
+<p>Malware persistence consists of techniques that adversaries use to
+keep access to systems across restarts, changed credentials, and other
+interruptions that could cut off their access. Techniques used for
+persistence include any access, action, or configuration changes that
+let them maintain their foothold on systems, such as replacing or
+hijacking legitimate code or adding startup code.</p>
+<p><a
+href="https://github.com/Karneades/malware-persistence/blob/master/README.md">Main
+article about malware persistence</a> with more context and
+information.</p>
+<h2 id="contents">Contents</h2>
+<ul>
+<li><a href="#techniques">Techniques</a>
+<ul>
+<li><a href="#generic">Generic</a></li>
+<li><a href="#linux">Linux</a></li>
+<li><a href="#macos">macOS</a></li>
+<li><a href="#windows">Windows</a></li>
+<li><a href="#cloud">Cloud</a></li>
+<li><a href="#firmware">Firmware</a></li>
+<li><a href="#databases">Databases</a></li>
+</ul></li>
+<li><a href="#persistence-removal">Persistence Removal</a>
+<ul>
+<li><a href="#generic-1">Generic</a></li>
+<li><a href="#windows-1">Windows</a></li>
+</ul></li>
+<li><a href="#detection-testing">Detection Testing</a>
+<ul>
+<li><a href="#generic-2">Generic</a></li>
+<li><a href="#linux-1">Linux</a></li>
+<li><a href="#macos-1">macOS</a></li>
+<li><a href="#windows-2">Windows</a></li>
+</ul></li>
+<li><a href="#prevention">Prevention</a>
+<ul>
+<li><a href="#macos-2">macOS</a></li>
+</ul></li>
+<li><a href="#collection">Collection</a>
+<ul>
+<li><a href="#generic-3">Generic</a></li>
+<li><a href="#linux-2">Linux</a></li>
+<li><a href="#macos-3">macOS</a></li>
+<li><a href="#windows-3">Windows</a></li>
+</ul></li>
+</ul>
+<h2 id="techniques">Techniques</h2>
+<p><em>Persistence techniques and detection.</em></p>
+<h3 id="generic">Generic</h3>
+<ul>
+<li><a href="https://attack.mitre.org/tactics/TA0003/">MITRE ATT&amp;CK
+tactic “TA0003 - Persistence”</a> - MITRE ATT&amp;CK tactic “TA0003 -
+Persistence”.</li>
+<li><a href="https://github.com/ForensicArtifacts/artifacts">forensic
+artifact repository</a> - Forensic artifact repository covers
+persistence techniques in their artifacts.</li>
+<li><a href="https://github.com/Neo23x0/sigma/tree/master/rules">Sigma
+rules</a> - Sigma rules which covers persistence techniques. You can
+even use filters such as <code>--filter tag=attack.persistence</code> or
+specifically for one technique <code>tag=attack.t1084</code>.</li>
+</ul>
+<h3 id="linux">Linux</h3>
+<ul>
+<li><a
+href="https://www.sandflysecurity.com/blog/linux-malware-persistence-with-cron/">Linux
+Malware Persistence with Cron</a> - Blog post about linux persistence
+using cron jobs.</li>
+<li><a
+href="https://research.splunk.com/stories/linux_persistence_techniques/">Linux
+Persistence Techniques</a> - List of persistence techniques.</li>
+<li><a
+href="https://www.linode.com/docs/guides/linux-red-team-persistence-techniques/">Linux
+Red Team Persistence Techniques</a> - List of persistence
+techniques.</li>
+<li><a
+href="https://github.com/Aegrah/PANIX?tab=readme-ov-file#features">PANIX
+- Persistence Against *NIX - Features</a> - List of persistence
+techniques.</li>
+<li><a
+href="https://www.elastic.co/security-labs/primer-on-persistence-mechanisms">Linux
+Detection Engineering - A primer on persistence mechanisms</a> - List of
+Linux persistence mechanisms.</li>
+<li><a href="https://github.com/Gui774ume/ebpfkit">ebpfkit</a> - Rootkit
+leveraging eBPF.</li>
+<li><a href="https://github.com/h3xduck/TripleCross">TripleCross</a> -
+Rootkit leveraging eBPF.</li>
+<li><a
+href="https://righteousit.com/2024/11/18/linux-lkm-persistence/">Linux
+LKM Persistence</a> - Rootkit leveraging Linux loadable kernel module
+(LKM).</li>
+</ul>
+<h3 id="macos">macOS</h3>
+<ul>
+<li><a href="https://theevilbit.github.io/tags/beyond/">theevilbit’s
+series “Beyond the good ol’ LaunchAgents”</a> - List of macOS
+persistence beyond just the LaunchDaemons or LaunchAgents.</li>
+<li><a
+href="https://github.com/objective-see/KnockKnock/blob/main/Plugins">KnockKnock</a>
+- A persistence detection tool for macOS to scan for persistence
+mechanisms on macOS. Specific persistence locations are found in the <a
+href="https://github.com/objective-see/KnockKnock/tree/main/Plugins">plugins</a>
+folder, e.g. <a
+href="https://github.com/objective-see/KnockKnock/blob/main/Plugins/LaunchItems.m#L21">LaunchItems</a>
+or <a
+href="https://github.com/objective-see/KnockKnock/blob/main/Plugins/StartupScripts.m#L22">StartupScripts</a>.</li>
+<li><a
+href="https://github.com/CyborgSecurity/PoisonApple/blob/master/poisonapple/techniques.py">PoisonApple</a>
+- Learn about various macOS persistence techniques by looking at the
+source code of PoisonApple.</li>
+<li><a
+href="https://www.sentinelone.com/blog/how-malware-persists-on-macos/">How
+malware persists on macOS</a> - List of macOS persistence
+mechanisms.</li>
+</ul>
+<h3 id="windows">Windows</h3>
+<ul>
+<li><a
+href="http://www.hexacorn.com/blog/category/autostart-persistence/">Hexacorn’s
+blog</a> - Hexacorn’s blog category for persistence category including
+the series “Beyond good ol’ Run key”.</li>
+<li><a
+href="https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns">Autoruns</a>
+- You can learn which Windows persistence mechanisms are checked by
+looking at the output of Autoruns on your own client. Categories and the
+different locations where things were found are seen in the output. A
+disassembly of Autoruns lists a subset of the entries which are
+scanned.</li>
+<li><a
+href="https://github.com/p0w3rsh3ll/AutoRuns/blob/master/AutoRuns.psm1">PowerShell
+implementation of Autoruns</a> - Another way to find Windows persistence
+locations is to look at the source code of the PowerShell version of
+Autoruns. Bonus: A history of the covered persistence locations for each
+Autoruns version is found at the end of the module file too, which is so
+awesome!</li>
+<li><a
+href="https://resources.infosecinstitute.com/common-malware-persistence-mechanisms/">Common
+malware persistence mechanisms</a> - Different persistence mechanisms
+for different vectors are described.</li>
+<li><a
+href="https://www.andreafortuna.org/2017/07/06/malware-persistence-techniques/">Malware
+persistence techniques</a> - Good summary of multiple persistence
+mechanisms, ranging from multiple registry keys to more advanced one,
+like COM hijacking.</li>
+<li><a
+href="https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96">Detecting
+&amp; Removing an Attacker’s WMI Persistence</a> - Blog post about
+detecting and removing WMI persistence.</li>
+<li><a
+href="https://www.hackingarticles.in/windows-persistence-using-winlogon/">Windows
+Persistence using WinLogon</a> - Blog post about abusing WinLogon.</li>
+<li><a
+href="https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/">Untangling
+Kovter’s persistence methods</a> - Blog post about Kovter’s persistens
+methos, among others, hiding in registry. Another one is <a
+href="https://threatvector.cylance.com/en_us/home/threat-spotlight-kovter-malware-fileless-persistence-mechanism.html">Threat
+Spotlight: Kovter Malware Fileless Persistence Mechanism</a>.</li>
+<li><a
+href="https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/">Persistence
+using GlobalFlags in Image File Execution Options – Hidden from
+Autoruns.exe</a> - Blog post about abusing GlobalFlag for process
+execution.</li>
+<li><a
+href="https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-a-mykings-variant-with-bootloader-persistence-via-managed-detection-and-response/">Uncovering
+a MyKings Variant With Bootloader Persistence via Managed Detection and
+Response</a> - Blog post about bootloader persistence.</li>
+<li>Various blog posts about COM/CLSID hijacking
+<ul>
+<li><a
+href="https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence">COM
+Object hijacking: the discreet way of persistence, 2014</a></li>
+<li><a
+href="https://pentestlab.blog/2020/05/20/persistence-com-hijacking/">Persistence
+– COM Hijacking, 2020</a></li>
+<li><a
+href="https://enigma0x3.net/2016/05/25/userland-persistence-with-scheduled-tasks-and-com-handler-hijacking/">Abusing
+COM hijacking in combination with scheduled tasks, 2016</a></li>
+</ul></li>
+<li><a
+href="https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook">Hunting
+for persistence via Microsoft Exchange Server or Outlook</a> - Blog post
+about Microsoft Exchange server persistence.</li>
+</ul>
+<h3 id="cloud">Cloud</h3>
+<ul>
+<li><a
+href="https://www.obsidiansecurity.com/blog/shadow-linking-the-persistence-vector-of-saas-identity-threat/">Shadow
+Linking: The Persistence Vector of SaaS Identity Threat</a> - Abuse of
+additional identity providers to persist in an environment.</li>
+<li><a
+href="https://dirkjanm.io/persisting-with-federated-credentials-entra-apps-managed-identities/">Persisting
+on Entra ID applications and User Managed Identities with Federated
+Credentials</a> - Persist on Entra ID applications and User Managed
+Identities with Federated Credentials.</li>
+</ul>
+<h3 id="firmware">Firmware</h3>
+<ul>
+<li><a
+href="https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468">MoonBounce:
+the dark side of UEFI firmware</a> - An in-depth write up about one
+particular UEFI bootkit.</li>
+</ul>
+<h3 id="databases">Databases</h3>
+<ul>
+<li><a
+href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-attack-vector-database-triggers-as-persistence-mechanisms/">Database
+Triggers as Persistence Mechanisms</a> - An in-depth write up about
+database triggers providing persistence.</li>
+</ul>
+<h2 id="persistence-removal">Persistence Removal</h2>
+<p><em>Tools and commands for persistence mechanisms removal. Beside the
+tools mentioned below, use standard OS commands to remove the
+persistence.</em></p>
+<h3 id="generic-1">Generic</h3>
+<ul>
+<li><a
+href="https://github.com/meirwah/awesome-incident-response">Awesome
+Incident Response</a> - Use the tools and resources for security
+incident response, aimed to help security analysts and DFIR teams.</li>
+</ul>
+<h3 id="windows-1">Windows</h3>
+<ul>
+<li><a href="https://github.com/swisscom/PowerSponse">PowerSponse</a> -
+PowerSponse includes various commands for cleanup of persistence
+mechanisms.</li>
+<li><a
+href="https://www.n00py.io/2017/01/removing-backdoors-powershell-empire-edition/">Removing
+Backdoors – Powershell Empire Edition</a> - Various blog posts handle
+the removal of WMI implants.</li>
+<li><a
+href="https://docs.microsoft.com/en-us/sysinternals/downloads/regdelnull">RegDelNull</a>
+- Removal of registry keys with null bytes - used e.g. in run keys for
+evasion.</li>
+</ul>
+<h2 id="detection-testing">Detection Testing</h2>
+<p><em>Tools for testing detections. Use the techniques described in <a
+href="#persistence-techniques">Persistence Techniques</a> to create
+these files or add the configuration changes by hand to test your
+detections.</em></p>
+<h3 id="generic-2">Generic</h3>
+<ul>
+<li><a href="https://github.com/redcanaryco/atomic-red-team">Atomic Red
+Team</a> - Atomic Red Team supports also the MITRE ATT&amp;CK
+persistence techniques, see e.g. <a
+href="https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1044/T1044.yaml">T1044
+“File System Permissions Weakness”</a>.</li>
+</ul>
+<h3 id="linux-1">Linux</h3>
+<ul>
+<li><a href="https://github.com/Aegrah/PANIX">PANIX</a> - A highly
+customizable Linux persistence tool. Perform various persistence
+techniques against Linux systems, among others Debian and RHEL.</li>
+<li><a href="https://github.com/m0nad/Diamorphine">Diamorphine</a> - A
+loadable kernel module (LKM) rootkit for Linux Kernels (x86/x86_64 and
+ARM64).</li>
+</ul>
+<h3 id="macos-1">macOS</h3>
+<ul>
+<li><a
+href="https://github.com/CyborgSecurity/PoisonApple">PoisonApple</a> -
+Perform various persistence techniques on macOS.</li>
+</ul>
+<h3 id="windows-2">Windows</h3>
+<ul>
+<li><a
+href="https://github.com/hasherezade/persistence_demos">hasherezade
+persistence demos</a> - Various (also non standard) persistence methods
+used by malware for testing own detection, among others COM hijacking
+demo is found in the repo.</li>
+</ul>
+<h2 id="prevention">Prevention</h2>
+<p><em>Tools for preventing malicious persistence.</em></p>
+<h3 id="macos-2">macOS</h3>
+<ul>
+<li><a href="https://github.com/objective-see/BlockBlock">BlockBlock</a>
+- A tool which provides continual protection by monitoring persistence
+locations and protects them accordingly. Similar to KnockKnock but for
+blocking.</li>
+</ul>
+<h2 id="collection">Collection</h2>
+<p><em>Tools for persistence collection.</em></p>
+<h3 id="generic-3">Generic</h3>
+<ul>
+<li><a href="https://github.com/Cugu/awesome-forensics">Awesome
+Forensics</a> - Use the tools from this list which includes awesome free
+(mostly open source) forensic analysis tools and resources. They help
+collecting the persistence mechanisms at scale, e.g. by using remote
+forensics tools.</li>
+<li><a href="https://osquery.readthedocs.io">osquery</a> - Query
+persistence mechanisms on clients.</li>
+<li><a href="https://github.com/ossec/ossec-hids">OSSEC</a> - Use rules
+and logs from the HIDS to detection configuration changes.</li>
+</ul>
+<h3 id="linux-2">Linux</h3>
+<p><em>There is no dedicated persistence collection tool for Linux I’m
+aware of. Use some of the tools from #General or standard OS commands
+for collection. Thanks for contributing links to Linux specific
+persistence collection tools.</em></p>
+<ul>
+<li><a href="https://github.com/sqall01/LSMS">Linux Security and
+Monitoring Scripts</a> - Security and monitoring scripts you can use to
+monitor your Linux installation for security-related events or for an
+investigation. Among other finding systemd unit files used for malware
+persistence.</li>
+</ul>
+<h3 id="macos-3">macOS</h3>
+<ul>
+<li><a
+href="https://www.objective-see.com/products/knockknock.html">KnockKnock</a>
+- A tool to uncover persistently installed software in order to
+generically reveal such malware. See <a
+href="https://github.com/objective-see/KnockKnock">GitHub repository too
+for the source code</a>.</li>
+<li><a href="https://www.objective-see.com/products/dhs.html">Dylib
+Hijack Scanner or DHS</a> - A simple utility that will scan your
+computer for applications that are either susceptible to dylib hijacking
+or have been hijacked. See <a
+href="https://github.com/objective-see/DylibHijackScanner">GitHub
+repository too for the source code</a>.</li>
+</ul>
+<h3 id="windows-3">Windows</h3>
+<ul>
+<li><a
+href="http://technet.microsoft.com/en-us/sysinternals/bb963902">Autoruns</a>
+- A powerful persistence collection tool on Windows is Autoruns. It
+collects different categories and persistence information from a live
+system and <a
+href="https://www.sans.org/blog/offline-autoruns-revisited-auditing-malware-persistence/">in
+limited ways from offline images</a>. There is a UI and a command line
+program and the output format can be set to CSV which can then be
+imported into your log collection system of choice.</li>
+<li><a
+href="https://github.com/palantir/windows-event-forwarding/blob/master/AutorunsToWinEventLog/AutorunsToWinEventLog.ps1">AutorunsToWinEventLog.ps1</a>
+- Instead of using CSV output and copy these file to the server, you can
+use the AutorunsToWinEventLog script to convert the Autoruns output to
+Windows event logs and rely on standard Windows event log
+forwarding.</li>
+<li><a href="https://github.com/p0w3rsh3ll/AutoRuns">PowerShell
+Autoruns</a> - A PowerShell version of Autoruns.</li>
+<li><a
+href="https://github.com/last-byte/PersistenceSniper">PersistenceSniper</a>
+- Powershell module to hunt for persistence implanted in Windows
+machines.</li>
+<li><a href="https://github.com/keydet89/RegRipper2.8">RegRipper</a> -
+Extracts various persistence mechanisms from the registry files
+directly.</li>
+<li><a href="https://github.com/EricZimmerman/RECmd">RECmd</a> - Extract
+various persistence mechanisms, e.g. by using the config file <a
+href="https://github.com/EricZimmerman/RECmd/blob/master/BatchExamples/UserClassesASEPs.reb">UserClassesASEPs</a>
+to extract user’s CLSID information.</li>
+<li><a
+href="https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape">KAPE</a>
+- The tool allows collecting various predefined artifactgs using targets
+and modules, see <a
+href="https://github.com/EricZimmerman/KapeFiles">KapeFiles</a> which
+include persistence mechanisms, among others there’s a collection of <a
+href="https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Windows/LNKFilesAndJumpLists.tkape">LNK
+files</a>, <a
+href="https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Windows/ScheduledTasks.tkape">scheduled
+task files</a> and <a
+href="https://github.com/EricZimmerman/KapeFiles/blob/master/Modules/LiveResponse/schtasks.mkape">scheduled
+task listing</a> or a <a
+href="https://github.com/EricZimmerman/KapeFiles/blob/master/Modules/LiveResponse/WMI-Repository-Auditing.mkape">WMI
+repository auditing</a> module.</li>
+</ul>
+<h2 id="contributing">Contributing</h2>
+<p>Contributions welcome! Read the <a
+href="CONTRIBUTING.md">contribution guidelines</a> first.</p>
+<p><a
+href="https://github.com/Karneades/awesome-malware-persistence">malwarepersistence.md
+Github</a></p>