mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 21:19:40 +03:00
efca3ec611
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions) based on subdomain and content analysis. Restores 11 skills corrupted during prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields. All 754 skills now carry structured mappings for all 5 security frameworks: - MITRE ATT&CK (in tags) - MITRE ATLAS v5.5 (atlas_techniques) - MITRE D3FEND v1.3 (d3fend_techniques) - NIST AI RMF 1.0 (nist_ai_rmf) - NIST CSF 2.0 (nist_csf)
73 lines
3.0 KiB
Markdown
73 lines
3.0 KiB
Markdown
---
|
|
name: analyzing-persistence-mechanisms-in-linux
|
|
description: Detect and analyze Linux persistence mechanisms including crontab entries, systemd service units, LD_PRELOAD
|
|
hijacking, bashrc modifications, and authorized_keys backdoors using auditd and file integrity monitoring
|
|
domain: cybersecurity
|
|
subdomain: threat-hunting
|
|
tags:
|
|
- linux-persistence
|
|
- crontab
|
|
- systemd
|
|
- ld-preload
|
|
- auditd
|
|
- threat-hunting
|
|
- incident-response
|
|
mitre_attack:
|
|
- T1053.003
|
|
- T1543.002
|
|
- T1574.006
|
|
- T1546.004
|
|
version: '1.0'
|
|
author: mahipal
|
|
license: Apache-2.0
|
|
d3fend_techniques:
|
|
- Executable Denylisting
|
|
- Execution Isolation
|
|
- File Metadata Consistency Validation
|
|
- Process Termination
|
|
- Content Format Conversion
|
|
nist_csf:
|
|
- DE.CM-01
|
|
- DE.AE-02
|
|
- DE.AE-07
|
|
- ID.RA-05
|
|
---
|
|
|
|
# Analyzing Persistence Mechanisms in Linux
|
|
|
|
## Overview
|
|
|
|
Adversaries establish persistence on Linux systems through crontab jobs, systemd service/timer units, LD_PRELOAD library injection, shell profile modifications (.bashrc, .profile), SSH authorized_keys backdoors, and init script manipulation. This skill scans for all known persistence vectors, checks file timestamps and integrity, and correlates findings with auditd logs to build a timeline of persistence installation.
|
|
|
|
|
|
## When to Use
|
|
|
|
- When investigating security incidents that require analyzing persistence mechanisms in linux
|
|
- When building detection rules or threat hunting queries for this domain
|
|
- When SOC analysts need structured procedures for this analysis type
|
|
- When validating security monitoring coverage for related attack techniques
|
|
|
|
## Prerequisites
|
|
|
|
- Root or sudo access on target Linux system (or forensic image)
|
|
- auditd configured with file watch rules on persistence paths
|
|
- Python 3.8+ with standard library (os, subprocess, json)
|
|
- Optional: OSSEC/Wazuh agent for file integrity monitoring alerts
|
|
|
|
## Steps
|
|
|
|
1. **Scan Crontab Entries** — Enumerate all user crontabs, /etc/cron.d/, /etc/cron.daily/, and anacron jobs for suspicious commands
|
|
2. **Audit Systemd Units** — Check /etc/systemd/system/ and ~/.config/systemd/user/ for non-package-managed service and timer units
|
|
3. **Detect LD_PRELOAD Hijacking** — Check /etc/ld.so.preload and LD_PRELOAD environment variable for injected shared libraries
|
|
4. **Inspect Shell Profiles** — Scan .bashrc, .bash_profile, .profile, /etc/profile.d/ for injected commands or reverse shells
|
|
5. **Check SSH Authorized Keys** — Audit all authorized_keys files for unauthorized public keys with command restrictions
|
|
6. **Correlate Auditd Logs** — Search auditd logs for file modification events on persistence paths to build an installation timeline
|
|
7. **Generate Persistence Report** — Produce a risk-scored report of all discovered persistence mechanisms
|
|
|
|
## Expected Output
|
|
|
|
- JSON report of all persistence mechanisms found with risk scores
|
|
- Timeline of persistence installation from auditd correlation
|
|
- MITRE ATT&CK technique mapping (T1053, T1543, T1574, T1546)
|
|
- Remediation commands for each detected persistence mechanism
|