Question 1

How to detect malware persistence using cron jobs on Linux?

Accepted Answer

The repository suggests checking /etc/crontab and user crontabs for unusual commands, such as web requests, and provides examples like hunting for cryptominers. Tools like commands with grep or scripts from the 'Linux' tools section can automate this.

Question 2

What are the best tools for finding persistence on Windows?

Accepted Answer

Autoruns is highlighted for live system collection, while PersistenceSniper offers PowerShell-based hunting. The README also mentions KAPE for forensic analysis and recommends cross-checking tools due to limitations like null byte issues.

Question 3

How does malware persistence hunting compare to traditional IOC-based detection?

Accepted Answer

Persistence mechanisms are more static and reliable than frequently changed IPs or hashes, offering a lower signal-to-noise ratio. This repository emphasizes this advantage for efficient threat hunting over volatile indicators.

Question 4

How to test if my detection works for persistence techniques?

Accepted Answer

Use tools like Atomic Red Team for specific MITRE ATT&CK techniques, PoisonApple for macOS, or PANIX for Linux. The 'Testing' section provides examples, such as abusing Image File Execution Options for sticky keys hijacking.

Question 5

Is this project better than just using MITRE ATT&CK for persistence info?

Accepted Answer

It complements MITRE ATT&CK by aggregating additional resources like Hexacorn's blog and tool catalogs, offering a more practical, hands-on focus for detection and response, though MITRE remains authoritative for taxonomy.

Question 6

What are fileless malware persistence methods?

Accepted Answer

These often involve changes in configuration files like Windows Registry or cron jobs, rather than traditional files. The README covers examples such as registry run keys and WMI implants, with detection evasion tips.

Malware Persistence

What is Malware Persistence?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions