creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/analyzing-persistence-mechanisms-in-linux/references/api-reference.md
T

2.7 KiB
Raw Blame History

Linux Persistence Mechanisms Detection API Reference

Crontab Inspection Commands

# List current user crontab
crontab -l

# List crontab for a specific user (requires root)
crontab -l -u username

# List all system cron jobs
ls -la /etc/cron.d/ /etc/cron.daily/ /etc/cron.hourly/ /etc/cron.weekly/ /etc/cron.monthly/
cat /etc/crontab

# Find recently modified cron files
find /var/spool/cron/ /etc/cron* -mtime -7 -type f 2>/dev/null

Systemd Unit Audit Commands

# List all enabled services
systemctl list-unit-files --type=service --state=enabled

# List all active timers
systemctl list-timers --all

# Show service details
systemctl cat suspicious.service

# Find non-package-managed unit files
find /etc/systemd/system/ -name '*.service' -exec sh -c \
  'dpkg -S "$1" 2>/dev/null || echo "UNMANAGED: $1"' _ {} \;

# Check for user-level systemd units
find /home -path '*/.config/systemd/user/*.service' 2>/dev/null

LD_PRELOAD Detection

# Check ld.so.preload file
cat /etc/ld.so.preload 2>/dev/null

# Check environment for LD_PRELOAD
env | grep LD_PRELOAD
cat /proc/*/environ 2>/dev/null | tr '\0' '\n' | grep LD_PRELOAD

# Check running processes for injected libraries
for pid in /proc/[0-9]*; do
  grep -l LD_PRELOAD "$pid/environ" 2>/dev/null && echo "PID: $(basename $pid)"
done

Auditd Rules for Persistence Monitoring

# Monitor crontab modifications
-w /etc/crontab -p wa -k cron_modification
-w /etc/cron.d/ -p wa -k cron_modification
-w /var/spool/cron/ -p wa -k cron_modification

# Monitor systemd unit changes
-w /etc/systemd/system/ -p wa -k systemd_modification

# Monitor ld.so.preload
-w /etc/ld.so.preload -p wa -k ld_preload_modification

# Monitor shell profiles
-w /etc/profile -p wa -k profile_modification
-w /etc/profile.d/ -p wa -k profile_modification

# Monitor authorized_keys
-w /root/.ssh/authorized_keys -p wa -k ssh_key_modification

# Search audit logs for persistence events
ausearch -k cron_modification --start today
ausearch -k systemd_modification -i

SSH Authorized Keys Audit

# Find all authorized_keys files
find / -name authorized_keys -type f 2>/dev/null

# Check for command restrictions in keys
grep 'command=' /home/*/.ssh/authorized_keys /root/.ssh/authorized_keys 2>/dev/null

MITRE ATT&CK Techniques

Technique ID Persistence Vector
Scheduled Task/Job: Cron T1053.003 Crontab entries
Create/Modify System Process: Systemd T1543.002 Systemd units
Hijack Execution Flow: LD_PRELOAD T1574.006 Shared library injection
Event Triggered Execution: Unix Shell T1546.004 .bashrc/.profile
Account Manipulation: SSH Keys T1098.004 authorized_keys
Reference in New Issue View Git Blame Copy Permalink