mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-19 22:19:39 +03:00
- analyzing-malware-persistence-with-autoruns: add persistence techniques T1547, T1053, T1543, T1546 - analyzing-memory-dumps-with-volatility: add memory forensics techniques T1055, T1003, T1059, T1620 - analyzing-persistence-mechanisms-in-linux: add Linux-specific sub-techniques T1053.003, T1543.002, T1574.006, T1546.004 - analyzing-windows-prefetch-with-python: add execution techniques T1059, T1204, T1036 - building-incident-response-dashboard: remove misaligned mitre_attack (dashboard is a visibility tool) - building-phishing-reporting-button-workflow: add phishing techniques T1566, T1204, T1534 - deobfuscating-powershell-obfuscated-malware: add PowerShell/obfuscation techniques T1059.001, T1027, T1140
2.8 KiB
2.8 KiB
name, description, domain, subdomain, tags, mitre_attack, version, author, license
| name | description | domain | subdomain | tags | mitre_attack | version | author | license | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| analyzing-persistence-mechanisms-in-linux | Detect and analyze Linux persistence mechanisms including crontab entries, systemd service units, LD_PRELOAD hijacking, bashrc modifications, and authorized_keys backdoors using auditd and file integrity monitoring | cybersecurity | threat-hunting |
|
|
1.0 | mahipal | Apache-2.0 |
Analyzing Persistence Mechanisms in Linux
Overview
Adversaries establish persistence on Linux systems through crontab jobs, systemd service/timer units, LD_PRELOAD library injection, shell profile modifications (.bashrc, .profile), SSH authorized_keys backdoors, and init script manipulation. This skill scans for all known persistence vectors, checks file timestamps and integrity, and correlates findings with auditd logs to build a timeline of persistence installation.
When to Use
- When investigating security incidents that require analyzing persistence mechanisms in linux
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
Prerequisites
- Root or sudo access on target Linux system (or forensic image)
- auditd configured with file watch rules on persistence paths
- Python 3.8+ with standard library (os, subprocess, json)
- Optional: OSSEC/Wazuh agent for file integrity monitoring alerts
Steps
- Scan Crontab Entries — Enumerate all user crontabs, /etc/cron.d/, /etc/cron.daily/, and anacron jobs for suspicious commands
- Audit Systemd Units — Check /etc/systemd/system/ and ~/.config/systemd/user/ for non-package-managed service and timer units
- Detect LD_PRELOAD Hijacking — Check /etc/ld.so.preload and LD_PRELOAD environment variable for injected shared libraries
- Inspect Shell Profiles — Scan .bashrc, .bash_profile, .profile, /etc/profile.d/ for injected commands or reverse shells
- Check SSH Authorized Keys — Audit all authorized_keys files for unauthorized public keys with command restrictions
- Correlate Auditd Logs — Search auditd logs for file modification events on persistence paths to build an installation timeline
- Generate Persistence Report — Produce a risk-scored report of all discovered persistence mechanisms
Expected Output
- JSON report of all persistence mechanisms found with risk scores
- Timeline of persistence installation from auditd correlation
- MITRE ATT&CK technique mapping (T1053, T1543, T1574, T1546)
- Remediation commands for each detected persistence mechanism