awesome-awesomeness/html/malwarepersistence.html

<h1 id="awesome-malware-persistence-awesome">Awesome Malware Persistence
<a href="https://github.com/sindresorhus/awesome"><img
src="https://awesome.re/badge.svg" alt="Awesome" /></a></h1>
<blockquote>
<p>A curated list of awesome malware persistence tools and
resources.</p>
</blockquote>
<p>Malware persistence consists of techniques that adversaries use to
keep access to systems across restarts, changed credentials, and other
interruptions that could cut off their access. Techniques used for
persistence include any access, action, or configuration changes that
let them maintain their foothold on systems, such as replacing or
hijacking legitimate code or adding startup code.</p>
<p><a
href="https://github.com/Karneades/malware-persistence/blob/master/README.md">Main
article about malware persistence</a> with more context and
information.</p>
<h2 id="contents">Contents</h2>
<ul>
<li><a href="#techniques">Techniques</a>
<ul>
<li><a href="#generic">Generic</a></li>
<li><a href="#linux">Linux</a></li>
<li><a href="#macos">macOS</a></li>
<li><a href="#windows">Windows</a></li>
<li><a href="#cloud">Cloud</a></li>
<li><a href="#firmware">Firmware</a></li>
<li><a href="#databases">Databases</a></li>
</ul></li>
<li><a href="#persistence-removal">Persistence Removal</a>
<ul>
<li><a href="#generic-1">Generic</a></li>
<li><a href="#windows-1">Windows</a></li>
</ul></li>
<li><a href="#detection-testing">Detection Testing</a>
<ul>
<li><a href="#generic-2">Generic</a></li>
<li><a href="#linux-1">Linux</a></li>
<li><a href="#macos-1">macOS</a></li>
<li><a href="#windows-2">Windows</a></li>
</ul></li>
<li><a href="#prevention">Prevention</a>
<ul>
<li><a href="#macos-2">macOS</a></li>
</ul></li>
<li><a href="#collection">Collection</a>
<ul>
<li><a href="#generic-3">Generic</a></li>
<li><a href="#linux-2">Linux</a></li>
<li><a href="#macos-3">macOS</a></li>
<li><a href="#windows-3">Windows</a></li>
</ul></li>
</ul>
<h2 id="techniques">Techniques</h2>
<p><em>Persistence techniques and detection.</em></p>
<h3 id="generic">Generic</h3>
<ul>
<li><a href="https://attack.mitre.org/tactics/TA0003/">MITRE ATT&amp;CK
tactic “TA0003 - Persistence”</a> - MITRE ATT&amp;CK tactic “TA0003 -
Persistence”.</li>
<li><a href="https://github.com/ForensicArtifacts/artifacts">forensic
artifact repository</a> - Forensic artifact repository covers
persistence techniques in their artifacts.</li>
<li><a href="https://github.com/Neo23x0/sigma/tree/master/rules">Sigma
rules</a> - Sigma rules which covers persistence techniques. You can
even use filters such as <code>--filter tag=attack.persistence</code> or
specifically for one technique <code>tag=attack.t1084</code>.</li>
</ul>
<h3 id="linux">Linux</h3>
<ul>
<li><a
href="https://www.sandflysecurity.com/blog/linux-malware-persistence-with-cron/">Linux
Malware Persistence with Cron</a> - Blog post about linux persistence
using cron jobs.</li>
<li><a
href="https://research.splunk.com/stories/linux_persistence_techniques/">Linux
Persistence Techniques</a> - List of persistence techniques.</li>
<li><a
href="https://www.linode.com/docs/guides/linux-red-team-persistence-techniques/">Linux
Red Team Persistence Techniques</a> - List of persistence
techniques.</li>
<li><a
href="https://github.com/Aegrah/PANIX?tab=readme-ov-file#features">PANIX
- Persistence Against *NIX - Features</a> - List of persistence
techniques.</li>
<li><a
href="https://www.elastic.co/security-labs/primer-on-persistence-mechanisms">Linux
Detection Engineering - A primer on persistence mechanisms</a> - List of
Linux persistence mechanisms.</li>
<li><a href="https://github.com/Gui774ume/ebpfkit">ebpfkit</a> - Rootkit
leveraging eBPF.</li>
<li><a href="https://github.com/h3xduck/TripleCross">TripleCross</a> -
Rootkit leveraging eBPF.</li>
<li><a
href="https://righteousit.com/2024/11/18/linux-lkm-persistence/">Linux
LKM Persistence</a> - Rootkit leveraging Linux loadable kernel module
(LKM).</li>
</ul>
<h3 id="macos">macOS</h3>
<ul>
<li><a href="https://theevilbit.github.io/tags/beyond/">theevilbit’s
series “Beyond the good ol’ LaunchAgents”</a> - List of macOS
persistence beyond just the LaunchDaemons or LaunchAgents.</li>
<li><a
href="https://github.com/objective-see/KnockKnock/blob/main/Plugins">KnockKnock</a>
- A persistence detection tool for macOS to scan for persistence
mechanisms on macOS. Specific persistence locations are found in the <a
href="https://github.com/objective-see/KnockKnock/tree/main/Plugins">plugins</a>
folder, e.g. <a
href="https://github.com/objective-see/KnockKnock/blob/main/Plugins/LaunchItems.m#L21">LaunchItems</a>
or <a
href="https://github.com/objective-see/KnockKnock/blob/main/Plugins/StartupScripts.m#L22">StartupScripts</a>.</li>
<li><a
href="https://github.com/CyborgSecurity/PoisonApple/blob/master/poisonapple/techniques.py">PoisonApple</a>
- Learn about various macOS persistence techniques by looking at the
source code of PoisonApple.</li>
<li><a
href="https://www.sentinelone.com/blog/how-malware-persists-on-macos/">How
malware persists on macOS</a> - List of macOS persistence
mechanisms.</li>
</ul>
<h3 id="windows">Windows</h3>
<ul>
<li><a
href="http://www.hexacorn.com/blog/category/autostart-persistence/">Hexacorn’s
blog</a> - Hexacorn’s blog category for persistence category including
the series “Beyond good ol’ Run key”.</li>
<li><a
href="https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns">Autoruns</a>
- You can learn which Windows persistence mechanisms are checked by
looking at the output of Autoruns on your own client. Categories and the
different locations where things were found are seen in the output. A
disassembly of Autoruns lists a subset of the entries which are
scanned.</li>
<li><a
href="https://github.com/p0w3rsh3ll/AutoRuns/blob/master/AutoRuns.psm1">PowerShell
implementation of Autoruns</a> - Another way to find Windows persistence
locations is to look at the source code of the PowerShell version of
Autoruns. Bonus: A history of the covered persistence locations for each
Autoruns version is found at the end of the module file too, which is so
awesome!</li>
<li><a
href="https://resources.infosecinstitute.com/common-malware-persistence-mechanisms/">Common
malware persistence mechanisms</a> - Different persistence mechanisms
for different vectors are described.</li>
<li><a
href="https://www.andreafortuna.org/2017/07/06/malware-persistence-techniques/">Malware
persistence techniques</a> - Good summary of multiple persistence
mechanisms, ranging from multiple registry keys to more advanced one,
like COM hijacking.</li>
<li><a
href="https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96">Detecting
&amp; Removing an Attacker’s WMI Persistence</a> - Blog post about
detecting and removing WMI persistence.</li>
<li><a
href="https://www.hackingarticles.in/windows-persistence-using-winlogon/">Windows
Persistence using WinLogon</a> - Blog post about abusing WinLogon.</li>
<li><a
href="https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/">Untangling
Kovter’s persistence methods</a> - Blog post about Kovter’s persistens
methos, among others, hiding in registry. Another one is <a
href="https://threatvector.cylance.com/en_us/home/threat-spotlight-kovter-malware-fileless-persistence-mechanism.html">Threat
Spotlight: Kovter Malware Fileless Persistence Mechanism</a>.</li>
<li><a
href="https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/">Persistence
using GlobalFlags in Image File Execution Options – Hidden from
Autoruns.exe</a> - Blog post about abusing GlobalFlag for process
execution.</li>
<li><a
href="https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-a-mykings-variant-with-bootloader-persistence-via-managed-detection-and-response/">Uncovering
a MyKings Variant With Bootloader Persistence via Managed Detection and
Response</a> - Blog post about bootloader persistence.</li>
<li>Various blog posts about COM/CLSID hijacking
<ul>
<li><a
href="https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence">COM
Object hijacking: the discreet way of persistence, 2014</a></li>
<li><a
href="https://pentestlab.blog/2020/05/20/persistence-com-hijacking/">Persistence
– COM Hijacking, 2020</a></li>
<li><a
href="https://enigma0x3.net/2016/05/25/userland-persistence-with-scheduled-tasks-and-com-handler-hijacking/">Abusing
COM hijacking in combination with scheduled tasks, 2016</a></li>
</ul></li>
<li><a
href="https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook">Hunting
for persistence via Microsoft Exchange Server or Outlook</a> - Blog post
about Microsoft Exchange server persistence.</li>
</ul>
<h3 id="cloud">Cloud</h3>
<ul>
<li><a
href="https://www.obsidiansecurity.com/blog/shadow-linking-the-persistence-vector-of-saas-identity-threat/">Shadow
Linking: The Persistence Vector of SaaS Identity Threat</a> - Abuse of
additional identity providers to persist in an environment.</li>
<li><a
href="https://dirkjanm.io/persisting-with-federated-credentials-entra-apps-managed-identities/">Persisting
on Entra ID applications and User Managed Identities with Federated
Credentials</a> - Persist on Entra ID applications and User Managed
Identities with Federated Credentials.</li>
</ul>
<h3 id="firmware">Firmware</h3>
<ul>
<li><a
href="https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468">MoonBounce:
the dark side of UEFI firmware</a> - An in-depth write up about one
particular UEFI bootkit.</li>
</ul>
<h3 id="databases">Databases</h3>
<ul>
<li><a
href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-attack-vector-database-triggers-as-persistence-mechanisms/">Database
Triggers as Persistence Mechanisms</a> - An in-depth write up about
database triggers providing persistence.</li>
</ul>
<h2 id="persistence-removal">Persistence Removal</h2>
<p><em>Tools and commands for persistence mechanisms removal. Beside the
tools mentioned below, use standard OS commands to remove the
persistence.</em></p>
<h3 id="generic-1">Generic</h3>
<ul>
<li><a
href="https://github.com/meirwah/awesome-incident-response">Awesome
Incident Response</a> - Use the tools and resources for security
incident response, aimed to help security analysts and DFIR teams.</li>
</ul>
<h3 id="windows-1">Windows</h3>
<ul>
<li><a href="https://github.com/swisscom/PowerSponse">PowerSponse</a> -
PowerSponse includes various commands for cleanup of persistence
mechanisms.</li>
<li><a
href="https://www.n00py.io/2017/01/removing-backdoors-powershell-empire-edition/">Removing
Backdoors – Powershell Empire Edition</a> - Various blog posts handle
the removal of WMI implants.</li>
<li><a
href="https://docs.microsoft.com/en-us/sysinternals/downloads/regdelnull">RegDelNull</a>
- Removal of registry keys with null bytes - used e.g. in run keys for
evasion.</li>
</ul>
<h2 id="detection-testing">Detection Testing</h2>
<p><em>Tools for testing detections. Use the techniques described in <a
href="#persistence-techniques">Persistence Techniques</a> to create
these files or add the configuration changes by hand to test your
detections.</em></p>
<h3 id="generic-2">Generic</h3>
<ul>
<li><a href="https://github.com/redcanaryco/atomic-red-team">Atomic Red
Team</a> - Atomic Red Team supports also the MITRE ATT&amp;CK
persistence techniques, see e.g. <a
href="https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1044/T1044.yaml">T1044
“File System Permissions Weakness”</a>.</li>
</ul>
<h3 id="linux-1">Linux</h3>
<ul>
<li><a href="https://github.com/Aegrah/PANIX">PANIX</a> - A highly
customizable Linux persistence tool. Perform various persistence
techniques against Linux systems, among others Debian and RHEL.</li>
<li><a href="https://github.com/m0nad/Diamorphine">Diamorphine</a> - A
loadable kernel module (LKM) rootkit for Linux Kernels (x86/x86_64 and
ARM64).</li>
</ul>
<h3 id="macos-1">macOS</h3>
<ul>
<li><a
href="https://github.com/CyborgSecurity/PoisonApple">PoisonApple</a> -
Perform various persistence techniques on macOS.</li>
</ul>
<h3 id="windows-2">Windows</h3>
<ul>
<li><a
href="https://github.com/hasherezade/persistence_demos">hasherezade
persistence demos</a> - Various (also non standard) persistence methods
used by malware for testing own detection, among others COM hijacking
demo is found in the repo.</li>
</ul>
<h2 id="prevention">Prevention</h2>
<p><em>Tools for preventing malicious persistence.</em></p>
<h3 id="macos-2">macOS</h3>
<ul>
<li><a href="https://github.com/objective-see/BlockBlock">BlockBlock</a>
- A tool which provides continual protection by monitoring persistence
locations and protects them accordingly. Similar to KnockKnock but for
blocking.</li>
</ul>
<h2 id="collection">Collection</h2>
<p><em>Tools for persistence collection.</em></p>
<h3 id="generic-3">Generic</h3>
<ul>
<li><a href="https://github.com/Cugu/awesome-forensics">Awesome
Forensics</a> - Use the tools from this list which includes awesome free
(mostly open source) forensic analysis tools and resources. They help
collecting the persistence mechanisms at scale, e.g. by using remote
forensics tools.</li>
<li><a href="https://osquery.readthedocs.io">osquery</a> - Query
persistence mechanisms on clients.</li>
<li><a href="https://github.com/ossec/ossec-hids">OSSEC</a> - Use rules
and logs from the HIDS to detection configuration changes.</li>
</ul>
<h3 id="linux-2">Linux</h3>
<p><em>There is no dedicated persistence collection tool for Linux I’m
aware of. Use some of the tools from #General or standard OS commands
for collection. Thanks for contributing links to Linux specific
persistence collection tools.</em></p>
<ul>
<li><a href="https://github.com/sqall01/LSMS">Linux Security and
Monitoring Scripts</a> - Security and monitoring scripts you can use to
monitor your Linux installation for security-related events or for an
investigation. Among other finding systemd unit files used for malware
persistence.</li>
</ul>
<h3 id="macos-3">macOS</h3>
<ul>
<li><a
href="https://www.objective-see.com/products/knockknock.html">KnockKnock</a>
- A tool to uncover persistently installed software in order to
generically reveal such malware. See <a
href="https://github.com/objective-see/KnockKnock">GitHub repository too
for the source code</a>.</li>
<li><a href="https://www.objective-see.com/products/dhs.html">Dylib
Hijack Scanner or DHS</a> - A simple utility that will scan your
computer for applications that are either susceptible to dylib hijacking
or have been hijacked. See <a
href="https://github.com/objective-see/DylibHijackScanner">GitHub
repository too for the source code</a>.</li>
</ul>
<h3 id="windows-3">Windows</h3>
<ul>
<li><a
href="http://technet.microsoft.com/en-us/sysinternals/bb963902">Autoruns</a>
- A powerful persistence collection tool on Windows is Autoruns. It
collects different categories and persistence information from a live
system and <a
href="https://www.sans.org/blog/offline-autoruns-revisited-auditing-malware-persistence/">in
limited ways from offline images</a>. There is a UI and a command line
program and the output format can be set to CSV which can then be
imported into your log collection system of choice.</li>
<li><a
href="https://github.com/palantir/windows-event-forwarding/blob/master/AutorunsToWinEventLog/AutorunsToWinEventLog.ps1">AutorunsToWinEventLog.ps1</a>
- Instead of using CSV output and copy these file to the server, you can
use the AutorunsToWinEventLog script to convert the Autoruns output to
Windows event logs and rely on standard Windows event log
forwarding.</li>
<li><a href="https://github.com/p0w3rsh3ll/AutoRuns">PowerShell
Autoruns</a> - A PowerShell version of Autoruns.</li>
<li><a
href="https://github.com/last-byte/PersistenceSniper">PersistenceSniper</a>
- Powershell module to hunt for persistence implanted in Windows
machines.</li>
<li><a href="https://github.com/keydet89/RegRipper2.8">RegRipper</a> -
Extracts various persistence mechanisms from the registry files
directly.</li>
<li><a href="https://github.com/EricZimmerman/RECmd">RECmd</a> - Extract
various persistence mechanisms, e.g. by using the config file <a
href="https://github.com/EricZimmerman/RECmd/blob/master/BatchExamples/UserClassesASEPs.reb">UserClassesASEPs</a>
to extract user’s CLSID information.</li>
<li><a
href="https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape">KAPE</a>
- The tool allows collecting various predefined artifactgs using targets
and modules, see <a
href="https://github.com/EricZimmerman/KapeFiles">KapeFiles</a> which
include persistence mechanisms, among others there’s a collection of <a
href="https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Windows/LNKFilesAndJumpLists.tkape">LNK
files</a>, <a
href="https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Windows/ScheduledTasks.tkape">scheduled
task files</a> and <a
href="https://github.com/EricZimmerman/KapeFiles/blob/master/Modules/LiveResponse/schtasks.mkape">scheduled
task listing</a> or a <a
href="https://github.com/EricZimmerman/KapeFiles/blob/master/Modules/LiveResponse/WMI-Repository-Auditing.mkape">WMI
repository auditing</a> module.</li>
</ul>
<h2 id="contributing">Contributing</h2>
<p>Contributions welcome! Read the <a
href="CONTRIBUTING.md">contribution guidelines</a> first.</p>
<p><a
href="https://github.com/Karneades/awesome-malware-persistence">malwarepersistence.md
Github</a></p>