creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 06:04:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/analyzing-persistence-mechanisms-in-linux/references/api-reference.md
T

101 lines
2.7 KiB
Markdown
Raw Blame History

# Linux Persistence Mechanisms Detection API Reference
## Crontab Inspection Commands
```bash
# List current user crontab
crontab -l
# List crontab for a specific user (requires root)
crontab -l -u username
# List all system cron jobs
ls -la /etc/cron.d/ /etc/cron.daily/ /etc/cron.hourly/ /etc/cron.weekly/ /etc/cron.monthly/
cat /etc/crontab
# Find recently modified cron files
find /var/spool/cron/ /etc/cron* -mtime -7 -type f 2>/dev/null
```
## Systemd Unit Audit Commands
```bash
# List all enabled services
systemctl list-unit-files --type=service --state=enabled
# List all active timers
systemctl list-timers --all
# Show service details
systemctl cat suspicious.service
# Find non-package-managed unit files
find /etc/systemd/system/ -name '*.service' -exec sh -c \
'dpkg -S "$1" 2>/dev/null || echo "UNMANAGED: $1"' _ {} \;
# Check for user-level systemd units
find /home -path '*/.config/systemd/user/*.service' 2>/dev/null
```
## LD_PRELOAD Detection
```bash
# Check ld.so.preload file
cat /etc/ld.so.preload 2>/dev/null
# Check environment for LD_PRELOAD
env | grep LD_PRELOAD
cat /proc/*/environ 2>/dev/null | tr '\0' '\n' | grep LD_PRELOAD
# Check running processes for injected libraries
for pid in /proc/[0-9]*; do
grep -l LD_PRELOAD "$pid/environ" 2>/dev/null && echo "PID: $(basename $pid)"
done
```
## Auditd Rules for Persistence Monitoring
```bash
# Monitor crontab modifications
-w /etc/crontab -p wa -k cron_modification
-w /etc/cron.d/ -p wa -k cron_modification
-w /var/spool/cron/ -p wa -k cron_modification
# Monitor systemd unit changes
-w /etc/systemd/system/ -p wa -k systemd_modification
# Monitor ld.so.preload
-w /etc/ld.so.preload -p wa -k ld_preload_modification
# Monitor shell profiles
-w /etc/profile -p wa -k profile_modification
-w /etc/profile.d/ -p wa -k profile_modification
# Monitor authorized_keys
-w /root/.ssh/authorized_keys -p wa -k ssh_key_modification
# Search audit logs for persistence events
ausearch -k cron_modification --start today
ausearch -k systemd_modification -i
```
## SSH Authorized Keys Audit
```bash
# Find all authorized_keys files
find / -name authorized_keys -type f 2>/dev/null
# Check for command restrictions in keys
grep 'command=' /home/*/.ssh/authorized_keys /root/.ssh/authorized_keys 2>/dev/null
```
## MITRE ATT&CK Techniques
| Technique | ID | Persistence Vector |
|-----------|----|--------------------|
| Scheduled Task/Job: Cron | T1053.003 | Crontab entries |
| Create/Modify System Process: Systemd | T1543.002 | Systemd units |
| Hijack Execution Flow: LD_PRELOAD | T1574.006 | Shared library injection |
| Event Triggered Execution: Unix Shell | T1546.004 | .bashrc/.profile |
| Account Manipulation: SSH Keys | T1098.004 | authorized_keys |
Reference in New Issue View Git Blame Copy Permalink