mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-19 05:59:40 +03:00
chore: fix license, add disclaimer, quick start, GitHub topics, issue templates
This commit is contained in:
@@ -0,0 +1,100 @@
|
||||
# Linux Persistence Mechanisms Detection API Reference
|
||||
|
||||
## Crontab Inspection Commands
|
||||
|
||||
```bash
|
||||
# List current user crontab
|
||||
crontab -l
|
||||
|
||||
# List crontab for a specific user (requires root)
|
||||
crontab -l -u username
|
||||
|
||||
# List all system cron jobs
|
||||
ls -la /etc/cron.d/ /etc/cron.daily/ /etc/cron.hourly/ /etc/cron.weekly/ /etc/cron.monthly/
|
||||
cat /etc/crontab
|
||||
|
||||
# Find recently modified cron files
|
||||
find /var/spool/cron/ /etc/cron* -mtime -7 -type f 2>/dev/null
|
||||
```
|
||||
|
||||
## Systemd Unit Audit Commands
|
||||
|
||||
```bash
|
||||
# List all enabled services
|
||||
systemctl list-unit-files --type=service --state=enabled
|
||||
|
||||
# List all active timers
|
||||
systemctl list-timers --all
|
||||
|
||||
# Show service details
|
||||
systemctl cat suspicious.service
|
||||
|
||||
# Find non-package-managed unit files
|
||||
find /etc/systemd/system/ -name '*.service' -exec sh -c \
|
||||
'dpkg -S "$1" 2>/dev/null || echo "UNMANAGED: $1"' _ {} \;
|
||||
|
||||
# Check for user-level systemd units
|
||||
find /home -path '*/.config/systemd/user/*.service' 2>/dev/null
|
||||
```
|
||||
|
||||
## LD_PRELOAD Detection
|
||||
|
||||
```bash
|
||||
# Check ld.so.preload file
|
||||
cat /etc/ld.so.preload 2>/dev/null
|
||||
|
||||
# Check environment for LD_PRELOAD
|
||||
env | grep LD_PRELOAD
|
||||
cat /proc/*/environ 2>/dev/null | tr '\0' '\n' | grep LD_PRELOAD
|
||||
|
||||
# Check running processes for injected libraries
|
||||
for pid in /proc/[0-9]*; do
|
||||
grep -l LD_PRELOAD "$pid/environ" 2>/dev/null && echo "PID: $(basename $pid)"
|
||||
done
|
||||
```
|
||||
|
||||
## Auditd Rules for Persistence Monitoring
|
||||
|
||||
```bash
|
||||
# Monitor crontab modifications
|
||||
-w /etc/crontab -p wa -k cron_modification
|
||||
-w /etc/cron.d/ -p wa -k cron_modification
|
||||
-w /var/spool/cron/ -p wa -k cron_modification
|
||||
|
||||
# Monitor systemd unit changes
|
||||
-w /etc/systemd/system/ -p wa -k systemd_modification
|
||||
|
||||
# Monitor ld.so.preload
|
||||
-w /etc/ld.so.preload -p wa -k ld_preload_modification
|
||||
|
||||
# Monitor shell profiles
|
||||
-w /etc/profile -p wa -k profile_modification
|
||||
-w /etc/profile.d/ -p wa -k profile_modification
|
||||
|
||||
# Monitor authorized_keys
|
||||
-w /root/.ssh/authorized_keys -p wa -k ssh_key_modification
|
||||
|
||||
# Search audit logs for persistence events
|
||||
ausearch -k cron_modification --start today
|
||||
ausearch -k systemd_modification -i
|
||||
```
|
||||
|
||||
## SSH Authorized Keys Audit
|
||||
|
||||
```bash
|
||||
# Find all authorized_keys files
|
||||
find / -name authorized_keys -type f 2>/dev/null
|
||||
|
||||
# Check for command restrictions in keys
|
||||
grep 'command=' /home/*/.ssh/authorized_keys /root/.ssh/authorized_keys 2>/dev/null
|
||||
```
|
||||
|
||||
## MITRE ATT&CK Techniques
|
||||
|
||||
| Technique | ID | Persistence Vector |
|
||||
|-----------|----|--------------------|
|
||||
| Scheduled Task/Job: Cron | T1053.003 | Crontab entries |
|
||||
| Create/Modify System Process: Systemd | T1543.002 | Systemd units |
|
||||
| Hijack Execution Flow: LD_PRELOAD | T1574.006 | Shared library injection |
|
||||
| Event Triggered Execution: Unix Shell | T1546.004 | .bashrc/.profile |
|
||||
| Account Manipulation: SSH Keys | T1098.004 | authorized_keys |
|
||||
Reference in New Issue
Block a user