awesome-malware-persistence

Malware persistence techniques

A curated list of techniques and tools for maintaining access to systems after initial entry

A curated list of awesome malware persistence tools and resources.

GitHub

187 stars
4 watching
12 forks
last commit: 3 months ago
Linked from 2 awesome lists

awesomeawesome-listmalwaremalware-analysismalware-detectionmalware-persistencepersistencethreat-huntingthreat-intelligence

Awesome Malware Persistence / Techniques / Generic

MITRE ATT&CK tactic "TA0003 - Persistence" MITRE ATT&CK tactic "TA0003 - Persistence"
forensic artifact repository 1,062 3 months ago Forensic artifact repository covers persistence techniques in their artifacts
Sigma rules 8,371 7 days ago Sigma rules which covers persistence techniques. You can even use filters such as or specifically for one technique

Awesome Malware Persistence / Techniques / Linux

Linux Malware Persistence with Cron Blog post about linux persistence using cron jobs
Linux Persistence Techniques List of persistence techniques
Linux Red Team Persistence Techniques List of persistence techniques
PANIX - Persistence Against *NIX - Features 410 3 months ago List of persistence techniques
Linux Detection Engineering - A primer on persistence mechanisms List of Linux persistence mechanisms
ebpfkit 761 over 1 year ago Rootkit leveraging eBPF
TripleCross 1,786 8 months ago Rootkit leveraging eBPF

Awesome Malware Persistence / Techniques / macOS

theevilbit's series "Beyond the good ol' LaunchAgents" List of macOS persistence beyond just the LaunchDaemons or LaunchAgents
KnockKnock 450 about 2 months ago A persistence detection tool for macOS to scan for persistence mechanisms on macOS. Specific persistence locations are found in the folder, e.g. or
PoisonApple 221 almost 3 years ago Learn about various macOS persistence techniques by looking at the source code of PoisonApple
How malware persists on macOS List of macOS persistence mechanisms

Awesome Malware Persistence / Techniques / Windows

Hexacorn's blog Hexacorn's blog category for persistence category including the series "Beyond good ol' Run key"
Autoruns You can learn which Windows persistence mechanisms are checked by looking at the output of Autoruns on your own client. Categories and the different locations where things were found are seen in the output. A disassembly of Autoruns lists a subset of the entries which are scanned
PowerShell implementation of Autoruns 256 7 months ago Another way to find Windows persistence locations is to look at the source code of the PowerShell version of Autoruns. Bonus: A history of the covered persistence locations for each Autoruns version is found at the end of the module file too, which is so awesome!
Common malware persistence mechanisms Different persistence mechanisms for different vectors are described
Malware persistence techniques Good summary of multiple persistence mechanisms, ranging from multiple registry keys to more advanced one, like COM hijacking
Detecting & Removing an Attacker's WMI Persistence Blog post about detecting and removing WMI persistence
Windows Persistence using WinLogon Blog post about abusing WinLogon
Untangling Kovter's persistence methods Blog post about Kovter's persistens methos, among others, hiding in registry. Another one is
Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe Blog post about abusing GlobalFlag for process execution
Uncovering a MyKings Variant With Bootloader Persistence via Managed Detection and Response Blog post about bootloader persistence

Awesome Malware Persistence / Techniques / Windows / Various blog posts about COM/CLSID hijacking

COM Object hijacking: the discreet way of persistence, 2014
Persistence – COM Hijacking, 2020
Abusing COM hijacking in combination with scheduled tasks, 2016

Awesome Malware Persistence / Techniques / Windows

Hunting for persistence via Microsoft Exchange Server or Outlook Blog post about Microsoft Exchange server persistence

Awesome Malware Persistence / Techniques / Cloud

Shadow Linking: The Persistence Vector of SaaS Identity Threat Abuse of additional identity providers to persist in an environment
Persisting on Entra ID applications and User Managed Identities with Federated Credentials Persist on Entra ID applications and User Managed Identities with Federated Credentials

Awesome Malware Persistence / Techniques / Firmware

MoonBounce: the dark side of UEFI firmware An in-depth write up about one particular UEFI bootkit

Awesome Malware Persistence / Persistence Removal / Generic

Awesome Incident Response 7,682 4 months ago Use the tools and resources for security incident response, aimed to help security analysts and DFIR teams

Awesome Malware Persistence / Persistence Removal / Windows

PowerSponse 38 over 2 years ago PowerSponse includes various commands for cleanup of persistence mechanisms
Removing Backdoors – Powershell Empire Edition Various blog posts handle the removal of WMI implants
RegDelNull Removal of registry keys with null bytes - used e.g. in run keys for evasion

Awesome Malware Persistence / Detection Testing / Generic

Atomic Red Team 9,782 8 days ago Atomic Red Team supports also the MITRE ATT&CK persistence techniques, see e.g.

Awesome Malware Persistence / Detection Testing / Linux

PANIX 410 3 months ago A highly customizable Linux persistence tool. Perform various persistence techniques against Linux systems, among others Debian and RHEL

Awesome Malware Persistence / Detection Testing / macOS

PoisonApple 221 almost 3 years ago Perform various persistence techniques on macOS

Awesome Malware Persistence / Detection Testing / Windows

hasherezade persistence demos 219 over 1 year ago Various (also non standard) persistence methods used by malware for testing own detection, among others COM hijacking demo is found in the repo

Awesome Malware Persistence / Prevention / macOS

BlockBlock 642 2 months ago A tool which provides continual protection by monitoring persistence locations and protects them accordingly. Similar to KnockKnock but for blocking

Awesome Malware Persistence / Collection / Generic

Awesome Forensics 4,000 11 days ago Use the tools from this list which includes awesome free (mostly open source) forensic analysis tools and resources. They help collecting the persistence mechanisms at scale, e.g. by using remote forensics tools
osquery Query persistence mechanisms on clients
OSSEC 4,502 6 months ago Use rules and logs from the HIDS to detection configuration changes

Awesome Malware Persistence / Collection / Linux

Linux Security and Monitoring Scripts 318 about 1 month ago Security and monitoring scripts you can use to monitor your Linux installation for security-related events or for an investigation. Among other finding systemd unit files used for malware persistence

Awesome Malware Persistence / Collection / macOS

KnockKnock A tool to uncover persistently installed software in order to generically reveal such malware. See
Dylib Hijack Scanner or DHS A simple utility that will scan your computer for applications that are either susceptible to dylib hijacking or have been hijacked. See

Awesome Malware Persistence / Collection / Windows

Autoruns A powerful persistence collection tool on Windows is Autoruns. It collects different categories and persistence information from a live system and . There is a UI and a command line program and the output format can be set to CSV which can then be imported into your log collection system of choice
AutorunsToWinEventLog.ps1 1,228 4 months ago Instead of using CSV output and copy these file to the server, you can use the AutorunsToWinEventLog script to convert the Autoruns output to Windows event logs and rely on standard Windows event log forwarding
PowerShell Autoruns 256 7 months ago A PowerShell version of Autoruns
PersistenceSniper 1,911 5 months ago Powershell module to hunt for persistence implanted in Windows machines
RegRipper Extracts various persistence mechanisms from the registry files directly
RECmd 131 18 days ago Extract various persistence mechanisms, e.g. by using the config file to extract user's CLSID information
KAPE The tool allows collecting various predefined artifactgs using targets and modules, see which include persistence mechanisms, among others there's a collection of , and or a module

Backlinks from these awesome lists:

More related projects: