creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-15 23:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md
T
mukul975 efca3ec611 feat: add NIST CSF 2.0 nist_csf field to all 754 cybersecurity skills 
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions)
based on subdomain and content analysis. Restores 11 skills corrupted during
prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields.

All 754 skills now carry structured mappings for all 5 security frameworks:
- MITRE ATT&CK (in tags)
- MITRE ATLAS v5.5 (atlas_techniques)
- MITRE D3FEND v1.3 (d3fend_techniques)
- NIST AI RMF 1.0 (nist_ai_rmf)
- NIST CSF 2.0 (nist_csf)
2026-04-06 11:17:40 +02:00

3.0 KiB
Raw Blame History

name, description, domain, subdomain, tags, mitre_attack, version, author, license, d3fend_techniques, nist_csf
name description domain subdomain tags mitre_attack version author license d3fend_techniques nist_csf
analyzing-persistence-mechanisms-in-linux Detect and analyze Linux persistence mechanisms including crontab entries, systemd service units, LD_PRELOAD hijacking, bashrc modifications, and authorized_keys backdoors using auditd and file integrity monitoring cybersecurity threat-hunting
linux-persistence
crontab
systemd
ld-preload
auditd
threat-hunting
incident-response
T1053.003
T1543.002
T1574.006
T1546.004
1.0 mahipal Apache-2.0
Executable Denylisting
Execution Isolation
File Metadata Consistency Validation
Process Termination
Content Format Conversion
DE.CM-01
DE.AE-02
DE.AE-07
ID.RA-05

Analyzing Persistence Mechanisms in Linux

Overview

Adversaries establish persistence on Linux systems through crontab jobs, systemd service/timer units, LD_PRELOAD library injection, shell profile modifications (.bashrc, .profile), SSH authorized_keys backdoors, and init script manipulation. This skill scans for all known persistence vectors, checks file timestamps and integrity, and correlates findings with auditd logs to build a timeline of persistence installation.

When to Use

  • When investigating security incidents that require analyzing persistence mechanisms in linux
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

  • Root or sudo access on target Linux system (or forensic image)
  • auditd configured with file watch rules on persistence paths
  • Python 3.8+ with standard library (os, subprocess, json)
  • Optional: OSSEC/Wazuh agent for file integrity monitoring alerts

Steps

  1. Scan Crontab Entries — Enumerate all user crontabs, /etc/cron.d/, /etc/cron.daily/, and anacron jobs for suspicious commands
  2. Audit Systemd Units — Check /etc/systemd/system/ and ~/.config/systemd/user/ for non-package-managed service and timer units
  3. Detect LD_PRELOAD Hijacking — Check /etc/ld.so.preload and LD_PRELOAD environment variable for injected shared libraries
  4. Inspect Shell Profiles — Scan .bashrc, .bash_profile, .profile, /etc/profile.d/ for injected commands or reverse shells
  5. Check SSH Authorized Keys — Audit all authorized_keys files for unauthorized public keys with command restrictions
  6. Correlate Auditd Logs — Search auditd logs for file modification events on persistence paths to build an installation timeline
  7. Generate Persistence Report — Produce a risk-scored report of all discovered persistence mechanisms

Expected Output

  • JSON report of all persistence mechanisms found with risk scores
  • Timeline of persistence installation from auditd correlation
  • MITRE ATT&CK technique mapping (T1053, T1543, T1574, T1546)
  • Remediation commands for each detected persistence mechanism
Reference in New Issue View Git Blame Copy Permalink