▲ 17 r/blueteamsec
Built a Linux persistence hunting & artifact collection tool in Bash - persisthunt
I’ve been working on a Bash-based Linux persistence detection and artifact collection script called persisthunt.
The goal is to help defenders and incident responders quickly identify suspicious persistence mechanisms and collect relevant artifacts during investigations without immediately jumping into full disk forensics.
The script currently hunts for a variety of Linux persistence techniques including:
- suspicious network listeners/reverse shells
- eBPF based raw network socket persistence (bpfdoor)
- hidden processes
- systemd services/timers/generators
- cron jobs
- shell profile persistence
- ld.so.preload
- SSH authorized_keys abuse
- world-writable SUID/SGID files
- references to
/tmp,/dev/shm,/dev/tcp,curl,wget,nc, etc. in autorun locations - more...
Findings are categorized as:
- High
- Low
- Informational
based on confidence and severity.
The project is designed to be lightweight and easily customizable depending on the environment and threat model.
Would appreciate feedback, ideas for additional persistence mechanisms to cover, and suggestions from others doing Linux IR/threat hunting.
u/Longjumping_Year6448 — 1 day ago