You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
Andreas Hunkeler a9f5ce56c5
Fix lint error for AutoRuns.psm1
1 day ago
.github/workflows Add lint workflow 12 months ago
CONTRIBUTING.md Rename CONTRIBUTING to CONTRIBUTING.md 12 months ago
LICENSE Initial commit 12 months ago
README.md Fix lint error for AutoRuns.psm1 1 day ago
code-of-conduct.md Create code-of-conduct.md 12 months ago

README.md

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

Awesome Malware Persistence Awesome

A curated list of awesome malware persistence tools and resources.

Malware persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.

This is an extract with only links to the tools and resources taken from the main article about malware persistence.

Contents

Techniques

Persistence techniques and detection.

Persistence Removal

Tools and commands for persistence mechanisms removal. Beside the tools mentioned below, use standard OS commands to remove the persistence.

General

  • Awesome Incident Response - Use the tools and resources for security incident response, aimed to help security analysts and DFIR teams.

Windows

Detection Testing

Tools for testing detections. Use the techniques described in Persistence Techniques to create these files or add the configuration changes by hand to test your detections.

Prevention

Tools for preventing malicious persistence.

macOS

  • BlockBlock - A tool which provides continual protection by monitoring persistence locations and protects them accordingly. Similar to KnockKnock but for blocking.

Collection

Tools for persistence collection.

General

  • Awesome Forensics - Use the tools from this list which includes awesome free (mostly open source) forensic analysis tools and resources. They help collecting the persistence mechanisms at scale, e.g. by using remote forensics tools.
  • osquery - Query persistence mechanisms on clients.
  • OSSEC - Use rules and logs from the HIDS to detection configuration changes.

Linux

There is no persistence collection tool for Linux. Use some of the tools from #General or standard OS commands for collection. Thanks for contributing links to Linux specific persistence collection tools.

macOS

Windows

  • Autoruns - A powerful persistence collection tool on Windows is Autoruns. It collects different categories and persistence information from a live system and in limited ways from offline images. There is a UI and a command line program and the output format can be set to CSV which can then be imported into your log collection system of choice.
  • AutorunsToWinEventLog.ps1 - Instead of using CSV output and copy these file to the server, you can use the AutorunsToWinEventLog script to convert the Autoruns output to Windows event logs and rely on standard Windows event log forwarding.
  • PowerShell Autoruns - A PowerShell version of Autoruns.
  • PersistenceSniper - Powershell module to hunt for persistence implanted in Windows machines.
  • RegRipper - Extracts various persistence mechanisms from the registry files directly.
  • RECmd - Extract various persistence mechanisms, e.g. by using the config file UserClassesASEPs to extract user's CLSID information.
  • KAPE - The tool allows collecting various predefined artifactgs using targets and modules, see KapeFiles which include persistence mechanisms, among others there's a collection of LNK files, scheduled task files and scheduled task listing or a WMI repository auditing module.

Contributing

Contributions welcome! Read the contribution guidelines first.