Files
Anthropic-Cybersecurity-Skills/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md
T
mukul975 cb8d79e068 Map all 754 skills to MITRE ATT&CK v19.1
- Add validated mitre_attack frontmatter to all 754 skills (286 distinct
  techniques), verified against MITRE ATT&CK v19.1 via the official
  mitreattack-python library: 0 revoked, deprecated, or invalid IDs
- Curate precise per-skill technique IDs for forensics, malware-analysis,
  threat-intel, and red-team skills (e.g. DCSync -> T1003.006,
  Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003)
- Reconcile v19.1 tactic restructuring: Defense Evasion split into
  Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.*
  family and T1070.001/.002 remapped to active equivalents (T1685.*)
- Normalize word-split tags across 35 skills (remove filename-derived
  stopword tags, add semantic cybersecurity tags)
- Add api-reference.md for 3 skills that were missing it
- Update README ATT&CK section with accurate v19.1 tactic distribution
2026-06-01 12:13:29 +02:00

3.0 KiB

name, description, domain, subdomain, tags, mitre_attack, version, author, license, d3fend_techniques, nist_csf
name description domain subdomain tags mitre_attack version author license d3fend_techniques nist_csf
analyzing-persistence-mechanisms-in-linux Detect and analyze Linux persistence mechanisms including crontab entries, systemd service units, LD_PRELOAD hijacking, bashrc modifications, and authorized_keys backdoors using auditd and file integrity monitoring cybersecurity threat-hunting
linux-persistence
crontab
systemd
ld-preload
auditd
threat-hunting
incident-response
T1053.003
T1543.002
T1574.006
T1546.004
T1098.004
1.0 mahipal Apache-2.0
Executable Denylisting
Execution Isolation
File Metadata Consistency Validation
Process Termination
Content Format Conversion
DE.CM-01
DE.AE-02
DE.AE-07
ID.RA-05

Analyzing Persistence Mechanisms in Linux

Overview

Adversaries establish persistence on Linux systems through crontab jobs, systemd service/timer units, LD_PRELOAD library injection, shell profile modifications (.bashrc, .profile), SSH authorized_keys backdoors, and init script manipulation. This skill scans for all known persistence vectors, checks file timestamps and integrity, and correlates findings with auditd logs to build a timeline of persistence installation.

When to Use

  • When investigating security incidents that require analyzing persistence mechanisms in linux
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

  • Root or sudo access on target Linux system (or forensic image)
  • auditd configured with file watch rules on persistence paths
  • Python 3.8+ with standard library (os, subprocess, json)
  • Optional: OSSEC/Wazuh agent for file integrity monitoring alerts

Steps

  1. Scan Crontab Entries — Enumerate all user crontabs, /etc/cron.d/, /etc/cron.daily/, and anacron jobs for suspicious commands
  2. Audit Systemd Units — Check /etc/systemd/system/ and ~/.config/systemd/user/ for non-package-managed service and timer units
  3. Detect LD_PRELOAD Hijacking — Check /etc/ld.so.preload and LD_PRELOAD environment variable for injected shared libraries
  4. Inspect Shell Profiles — Scan .bashrc, .bash_profile, .profile, /etc/profile.d/ for injected commands or reverse shells
  5. Check SSH Authorized Keys — Audit all authorized_keys files for unauthorized public keys with command restrictions
  6. Correlate Auditd Logs — Search auditd logs for file modification events on persistence paths to build an installation timeline
  7. Generate Persistence Report — Produce a risk-scored report of all discovered persistence mechanisms

Expected Output

  • JSON report of all persistence mechanisms found with risk scores
  • Timeline of persistence installation from auditd correlation
  • MITRE ATT&CK technique mapping (T1053, T1543, T1574, T1546)
  • Remediation commands for each detected persistence mechanism