threat hunting

Analyzing Persistence Mechanisms in Linux

Detect and analyze Linux persistence mechanisms including crontab entries, systemd service units, LD_PRELOAD hijacking, bashrc modifications, and authorized_keys backdoors using auditd and file integrity monitoring

auditdcrontabincident-responseld-preloadlinux-persistencesystemdthreat-hunting
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

Overview

Adversaries establish persistence on Linux systems through crontab jobs, systemd service/timer units, LD_PRELOAD library injection, shell profile modifications (.bashrc, .profile), SSH authorized_keys backdoors, and init script manipulation. This skill scans for all known persistence vectors, checks file timestamps and integrity, and correlates findings with auditd logs to build a timeline of persistence installation.

When to Use

  • When investigating security incidents that require analyzing persistence mechanisms in linux
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

  • Root or sudo access on target Linux system (or forensic image)
  • auditd configured with file watch rules on persistence paths
  • Python 3.8+ with standard library (os, subprocess, json)
  • Optional: OSSEC/Wazuh agent for file integrity monitoring alerts

Steps

  1. Scan Crontab Entries — Enumerate all user crontabs, /etc/cron.d/, /etc/cron.daily/, and anacron jobs for suspicious commands
  2. Audit Systemd Units — Check /etc/systemd/system/ and ~/.config/systemd/user/ for non-package-managed service and timer units
  3. Detect LD_PRELOAD Hijacking — Check /etc/ld.so.preload and LD_PRELOAD environment variable for injected shared libraries
  4. Inspect Shell Profiles — Scan .bashrc, .bash_profile, .profile, /etc/profile.d/ for injected commands or reverse shells
  5. Check SSH Authorized Keys — Audit all authorized_keys files for unauthorized public keys with command restrictions
  6. Correlate Auditd Logs — Search auditd logs for file modification events on persistence paths to build an installation timeline
  7. Generate Persistence Report — Produce a risk-scored report of all discovered persistence mechanisms

Expected Output

  • JSON report of all persistence mechanisms found with risk scores
  • Timeline of persistence installation from auditd correlation
  • MITRE ATT&CK technique mapping (T1053, T1543, T1574, T1546)
  • Remediation commands for each detected persistence mechanism
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md2.7 KB

Linux Persistence Mechanisms Detection API Reference

Crontab Inspection Commands

# List current user crontab
crontab -l
 
# List crontab for a specific user (requires root)
crontab -l -u username
 
# List all system cron jobs
ls -la /etc/cron.d/ /etc/cron.daily/ /etc/cron.hourly/ /etc/cron.weekly/ /etc/cron.monthly/
cat /etc/crontab
 
# Find recently modified cron files
find /var/spool/cron/ /etc/cron* -mtime -7 -type f 2>/dev/null

Systemd Unit Audit Commands

# List all enabled services
systemctl list-unit-files --type=service --state=enabled
 
# List all active timers
systemctl list-timers --all
 
# Show service details
systemctl cat suspicious.service
 
# Find non-package-managed unit files
find /etc/systemd/system/ -name '*.service' -exec sh -c \
  'dpkg -S "$1" 2>/dev/null || echo "UNMANAGED: $1"' _ {} \;
 
# Check for user-level systemd units
find /home -path '*/.config/systemd/user/*.service' 2>/dev/null

LD_PRELOAD Detection

# Check ld.so.preload file
cat /etc/ld.so.preload 2>/dev/null
 
# Check environment for LD_PRELOAD
env | grep LD_PRELOAD
cat /proc/*/environ 2>/dev/null | tr '\0' '\n' | grep LD_PRELOAD
 
# Check running processes for injected libraries
for pid in /proc/[0-9]*; do
  grep -l LD_PRELOAD "$pid/environ" 2>/dev/null && echo "PID: $(basename $pid)"
done

Auditd Rules for Persistence Monitoring

# Monitor crontab modifications
-w /etc/crontab -p wa -k cron_modification
-w /etc/cron.d/ -p wa -k cron_modification
-w /var/spool/cron/ -p wa -k cron_modification
 
# Monitor systemd unit changes
-w /etc/systemd/system/ -p wa -k systemd_modification
 
# Monitor ld.so.preload
-w /etc/ld.so.preload -p wa -k ld_preload_modification
 
# Monitor shell profiles
-w /etc/profile -p wa -k profile_modification
-w /etc/profile.d/ -p wa -k profile_modification
 
# Monitor authorized_keys
-w /root/.ssh/authorized_keys -p wa -k ssh_key_modification
 
# Search audit logs for persistence events
ausearch -k cron_modification --start today
ausearch -k systemd_modification -i

SSH Authorized Keys Audit

# Find all authorized_keys files
find / -name authorized_keys -type f 2>/dev/null
 
# Check for command restrictions in keys
grep 'command=' /home/*/.ssh/authorized_keys /root/.ssh/authorized_keys 2>/dev/null

MITRE ATT&CK Techniques

Technique ID Persistence Vector
Scheduled Task/Job: Cron T1053.003 Crontab entries
Create/Modify System Process: Systemd T1543.002 Systemd units
Hijack Execution Flow: LD_PRELOAD T1574.006 Shared library injection
Event Triggered Execution: Unix Shell T1546.004 .bashrc/.profile
Account Manipulation: SSH Keys T1098.004 authorized_keys

Scripts 1

agent.py10.2 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Analyze Linux persistence mechanisms: crontab, systemd, LD_PRELOAD, shell profiles, SSH keys."""

import os
import re
import json
import glob
import subprocess
import argparse
from datetime import datetime
from collections import defaultdict

CRON_PATHS = [
    "/etc/crontab", "/etc/cron.d/", "/etc/cron.daily/", "/etc/cron.hourly/",
    "/etc/cron.weekly/", "/etc/cron.monthly/", "/var/spool/cron/crontabs/",
    "/var/spool/cron/",
]

SYSTEMD_PATHS = [
    "/etc/systemd/system/", "/lib/systemd/system/", "/usr/lib/systemd/system/",
    "/run/systemd/system/",
]

SHELL_PROFILES = [".bashrc", ".bash_profile", ".profile", ".zshrc", ".bash_logout"]

SUSPICIOUS_PATTERNS = [
    r"(nc|ncat|netcat)\s+.*-[elp]", r"(bash|sh)\s+-i\s+>&", r"/dev/tcp/",
    r"curl\s+.*\|\s*(bash|sh)", r"wget\s+.*-O\s*-\s*\|\s*(bash|sh)",
    r"python.*-c\s+.*socket", r"base64\s+--decode", r"chmod\s+\+s\s",
    r"(socat|openssl)\s+.*exec", r"crontab\s+-r",
]


def scan_crontabs():
    """Scan all crontab locations for suspicious entries."""
    findings = []
    for path in CRON_PATHS:
        if os.path.isfile(path):
            findings.extend(_scan_cron_file(path))
        elif os.path.isdir(path):
            for entry in os.listdir(path):
                full_path = os.path.join(path, entry)
                if os.path.isfile(full_path):
                    findings.extend(_scan_cron_file(full_path))
    user_crontabs = subprocess.run(
        ["bash", "-c", "for u in $(cut -d: -f1 /etc/passwd); do crontab -l -u $u 2>/dev/null && echo \"__USER:$u\"; done"],
        capture_output=True, text=True,
        timeout=120,
    )
    if user_crontabs.returncode == 0:
        current_user = None
        for line in user_crontabs.stdout.splitlines():
            if line.startswith("__USER:"):
                current_user = line.split(":")[1]
            elif line.strip() and not line.startswith("#") and current_user:
                risk = _assess_cron_risk(line)
                findings.append({
                    "type": "user_crontab", "user": current_user,
                    "command": line.strip(), "risk": risk,
                    "mitre": "T1053.003",
                })
    return findings


def _scan_cron_file(filepath):
    """Scan a single cron file for entries."""
    entries = []
    try:
        with open(filepath) as f:
            for line in f:
                line = line.strip()
                if line and not line.startswith("#"):
                    risk = _assess_cron_risk(line)
                    entries.append({
                        "type": "cron_file", "path": filepath,
                        "command": line, "risk": risk,
                        "mtime": datetime.fromtimestamp(os.path.getmtime(filepath)).isoformat(),
                        "mitre": "T1053.003",
                    })
    except PermissionError:
        entries.append({"type": "cron_file", "path": filepath, "error": "Permission denied"})
    return entries


def _assess_cron_risk(command):
    """Assess risk level of a cron command."""
    for pattern in SUSPICIOUS_PATTERNS:
        if re.search(pattern, command, re.IGNORECASE):
            return "critical"
    if any(kw in command.lower() for kw in ["wget", "curl", "/tmp/", "base64", "chmod"]):
        return "high"
    return "low"


def scan_systemd_units():
    """Scan systemd service and timer units for persistence."""
    findings = []
    for base_path in SYSTEMD_PATHS:
        if not os.path.isdir(base_path):
            continue
        for unit_file in glob.glob(os.path.join(base_path, "*.service")) + \
                          glob.glob(os.path.join(base_path, "*.timer")):
            try:
                stat = os.stat(unit_file)
                with open(unit_file) as f:
                    content = f.read()
                risk = "low"
                exec_lines = re.findall(r"ExecStart\s*=\s*(.+)", content)
                for ex in exec_lines:
                    if any(s in ex for s in ["/tmp/", "/dev/shm/", "curl", "wget", "bash -c"]):
                        risk = "high"
                    for pattern in SUSPICIOUS_PATTERNS:
                        if re.search(pattern, ex, re.IGNORECASE):
                            risk = "critical"
                dpkg_check = subprocess.run(
                    ["dpkg", "-S", unit_file], capture_output=True, text=True,
                    timeout=120,
                )
                package_managed = dpkg_check.returncode == 0
                if not package_managed:
                    risk = max(risk, "medium", key=lambda x: ["low", "medium", "high", "critical"].index(x))
                findings.append({
                    "type": "systemd_unit", "path": unit_file,
                    "exec_start": exec_lines, "package_managed": package_managed,
                    "risk": risk, "mtime": datetime.fromtimestamp(stat.st_mtime).isoformat(),
                    "mitre": "T1543.002",
                })
            except (PermissionError, FileNotFoundError):
                continue
    return findings


def scan_ld_preload():
    """Check for LD_PRELOAD hijacking."""
    findings = []
    preload_file = "/etc/ld.so.preload"
    if os.path.exists(preload_file):
        with open(preload_file) as f:
            content = f.read().strip()
        if content:
            findings.append({
                "type": "ld_preload_file", "path": preload_file,
                "libraries": content.splitlines(), "risk": "critical",
                "mitre": "T1574.006",
            })
    env_check = subprocess.run(["env"], capture_output=True, text=True, timeout=120)
    for line in env_check.stdout.splitlines():
        if line.startswith("LD_PRELOAD="):
            findings.append({
                "type": "ld_preload_env", "value": line.split("=", 1)[1],
                "risk": "critical", "mitre": "T1574.006",
            })
    return findings


def scan_shell_profiles():
    """Scan shell profile files for injected commands."""
    findings = []
    for home_dir in glob.glob("/home/*") + ["/root"]:
        for profile in SHELL_PROFILES:
            filepath = os.path.join(home_dir, profile)
            if not os.path.exists(filepath):
                continue
            try:
                with open(filepath) as f:
                    content = f.read()
                for pattern in SUSPICIOUS_PATTERNS:
                    matches = re.findall(pattern, content, re.IGNORECASE)
                    if matches:
                        findings.append({
                            "type": "shell_profile", "path": filepath,
                            "matched_pattern": pattern, "risk": "critical",
                            "mitre": "T1546.004",
                        })
            except PermissionError:
                continue
    etc_profiles = glob.glob("/etc/profile.d/*.sh")
    for filepath in etc_profiles:
        dpkg = subprocess.run(["dpkg", "-S", filepath], capture_output=True, text=True, timeout=120)
        if dpkg.returncode != 0:
            findings.append({
                "type": "etc_profile_d", "path": filepath,
                "package_managed": False, "risk": "medium", "mitre": "T1546.004",
            })
    return findings


def scan_ssh_authorized_keys():
    """Audit SSH authorized_keys files for unauthorized entries."""
    findings = []
    for home_dir in glob.glob("/home/*") + ["/root"]:
        auth_keys = os.path.join(home_dir, ".ssh", "authorized_keys")
        if not os.path.exists(auth_keys):
            continue
        try:
            with open(auth_keys) as f:
                for i, line in enumerate(f, 1):
                    line = line.strip()
                    if not line or line.startswith("#"):
                        continue
                    risk = "low"
                    if "command=" in line:
                        risk = "high"
                    if "no-pty" not in line and "command=" in line:
                        risk = "critical"
                    findings.append({
                        "type": "authorized_key", "path": auth_keys,
                        "line_number": i, "key_snippet": line[:80] + "...",
                        "has_command_restriction": "command=" in line,
                        "risk": risk, "mitre": "T1098.004",
                    })
        except PermissionError:
            continue
    return findings


def generate_report(cron, systemd, ld_preload, profiles, ssh_keys):
    """Generate persistence analysis report."""
    all_findings = cron + systemd + ld_preload + profiles + ssh_keys
    risk_counts = defaultdict(int)
    for f in all_findings:
        risk_counts[f.get("risk", "unknown")] += 1
    return {
        "report_time": datetime.utcnow().isoformat(),
        "total_findings": len(all_findings),
        "risk_summary": dict(risk_counts),
        "crontab_findings": len(cron),
        "systemd_findings": len(systemd),
        "ld_preload_findings": len(ld_preload),
        "shell_profile_findings": len(profiles),
        "ssh_key_findings": len(ssh_keys),
        "findings": all_findings,
    }


def main():
    parser = argparse.ArgumentParser(description="Linux Persistence Mechanism Analyzer")
    parser.add_argument("--output", default="linux_persistence_report.json")
    parser.add_argument("--scan", nargs="+", default=["all"],
                        choices=["all", "cron", "systemd", "ldpreload", "profiles", "ssh"])
    args = parser.parse_args()

    scans = set(args.scan) if "all" not in args.scan else {"cron", "systemd", "ldpreload", "profiles", "ssh"}
    cron = scan_crontabs() if "cron" in scans else []
    systemd = scan_systemd_units() if "systemd" in scans else []
    ld_preload = scan_ld_preload() if "ldpreload" in scans else []
    profiles = scan_shell_profiles() if "profiles" in scans else []
    ssh_keys = scan_ssh_authorized_keys() if "ssh" in scans else []

    report = generate_report(cron, systemd, ld_preload, profiles, ssh_keys)
    with open(args.output, "w") as f:
        json.dump(report, f, indent=2, default=str)
    print(f"[+] Scanned {len(scans)} persistence categories")
    print(f"[+] Found {report['total_findings']} persistence artifacts")
    print(f"[+] Risk: critical={report['risk_summary'].get('critical', 0)} "
          f"high={report['risk_summary'].get('high', 0)}")
    print(f"[+] Report saved to {args.output}")


if __name__ == "__main__":
    main()
Keep exploring