Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-SkillsFramework mappings
MITRE ATT&CK
NIST CSF 2.0
MITRE D3FEND
Overview
Adversaries establish persistence on Linux systems through crontab jobs, systemd service/timer units, LD_PRELOAD library injection, shell profile modifications (.bashrc, .profile), SSH authorized_keys backdoors, and init script manipulation. This skill scans for all known persistence vectors, checks file timestamps and integrity, and correlates findings with auditd logs to build a timeline of persistence installation.
When to Use
- When investigating security incidents that require analyzing persistence mechanisms in linux
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
Prerequisites
- Root or sudo access on target Linux system (or forensic image)
- auditd configured with file watch rules on persistence paths
- Python 3.8+ with standard library (os, subprocess, json)
- Optional: OSSEC/Wazuh agent for file integrity monitoring alerts
Steps
- Scan Crontab Entries — Enumerate all user crontabs, /etc/cron.d/, /etc/cron.daily/, and anacron jobs for suspicious commands
- Audit Systemd Units — Check /etc/systemd/system/ and ~/.config/systemd/user/ for non-package-managed service and timer units
- Detect LD_PRELOAD Hijacking — Check /etc/ld.so.preload and LD_PRELOAD environment variable for injected shared libraries
- Inspect Shell Profiles — Scan .bashrc, .bash_profile, .profile, /etc/profile.d/ for injected commands or reverse shells
- Check SSH Authorized Keys — Audit all authorized_keys files for unauthorized public keys with command restrictions
- Correlate Auditd Logs — Search auditd logs for file modification events on persistence paths to build an installation timeline
- Generate Persistence Report — Produce a risk-scored report of all discovered persistence mechanisms
Expected Output
- JSON report of all persistence mechanisms found with risk scores
- Timeline of persistence installation from auditd correlation
- MITRE ATT&CK technique mapping (T1053, T1543, T1574, T1546)
- Remediation commands for each detected persistence mechanism
Source materials
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md2.7 KB
Linux Persistence Mechanisms Detection API Reference
Crontab Inspection Commands
# List current user crontab
crontab -l
# List crontab for a specific user (requires root)
crontab -l -u username
# List all system cron jobs
ls -la /etc/cron.d/ /etc/cron.daily/ /etc/cron.hourly/ /etc/cron.weekly/ /etc/cron.monthly/
cat /etc/crontab
# Find recently modified cron files
find /var/spool/cron/ /etc/cron* -mtime -7 -type f 2>/dev/nullSystemd Unit Audit Commands
# List all enabled services
systemctl list-unit-files --type=service --state=enabled
# List all active timers
systemctl list-timers --all
# Show service details
systemctl cat suspicious.service
# Find non-package-managed unit files
find /etc/systemd/system/ -name '*.service' -exec sh -c \
'dpkg -S "$1" 2>/dev/null || echo "UNMANAGED: $1"' _ {} \;
# Check for user-level systemd units
find /home -path '*/.config/systemd/user/*.service' 2>/dev/nullLD_PRELOAD Detection
# Check ld.so.preload file
cat /etc/ld.so.preload 2>/dev/null
# Check environment for LD_PRELOAD
env | grep LD_PRELOAD
cat /proc/*/environ 2>/dev/null | tr '\0' '\n' | grep LD_PRELOAD
# Check running processes for injected libraries
for pid in /proc/[0-9]*; do
grep -l LD_PRELOAD "$pid/environ" 2>/dev/null && echo "PID: $(basename $pid)"
doneAuditd Rules for Persistence Monitoring
# Monitor crontab modifications
-w /etc/crontab -p wa -k cron_modification
-w /etc/cron.d/ -p wa -k cron_modification
-w /var/spool/cron/ -p wa -k cron_modification
# Monitor systemd unit changes
-w /etc/systemd/system/ -p wa -k systemd_modification
# Monitor ld.so.preload
-w /etc/ld.so.preload -p wa -k ld_preload_modification
# Monitor shell profiles
-w /etc/profile -p wa -k profile_modification
-w /etc/profile.d/ -p wa -k profile_modification
# Monitor authorized_keys
-w /root/.ssh/authorized_keys -p wa -k ssh_key_modification
# Search audit logs for persistence events
ausearch -k cron_modification --start today
ausearch -k systemd_modification -iSSH Authorized Keys Audit
# Find all authorized_keys files
find / -name authorized_keys -type f 2>/dev/null
# Check for command restrictions in keys
grep 'command=' /home/*/.ssh/authorized_keys /root/.ssh/authorized_keys 2>/dev/nullMITRE ATT&CK Techniques
| Technique | ID | Persistence Vector |
|---|---|---|
| Scheduled Task/Job: Cron | T1053.003 | Crontab entries |
| Create/Modify System Process: Systemd | T1543.002 | Systemd units |
| Hijack Execution Flow: LD_PRELOAD | T1574.006 | Shared library injection |
| Event Triggered Execution: Unix Shell | T1546.004 | .bashrc/.profile |
| Account Manipulation: SSH Keys | T1098.004 | authorized_keys |
Scripts 1
agent.py10.2 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Analyze Linux persistence mechanisms: crontab, systemd, LD_PRELOAD, shell profiles, SSH keys."""
import os
import re
import json
import glob
import subprocess
import argparse
from datetime import datetime
from collections import defaultdict
CRON_PATHS = [
"/etc/crontab", "/etc/cron.d/", "/etc/cron.daily/", "/etc/cron.hourly/",
"/etc/cron.weekly/", "/etc/cron.monthly/", "/var/spool/cron/crontabs/",
"/var/spool/cron/",
]
SYSTEMD_PATHS = [
"/etc/systemd/system/", "/lib/systemd/system/", "/usr/lib/systemd/system/",
"/run/systemd/system/",
]
SHELL_PROFILES = [".bashrc", ".bash_profile", ".profile", ".zshrc", ".bash_logout"]
SUSPICIOUS_PATTERNS = [
r"(nc|ncat|netcat)\s+.*-[elp]", r"(bash|sh)\s+-i\s+>&", r"/dev/tcp/",
r"curl\s+.*\|\s*(bash|sh)", r"wget\s+.*-O\s*-\s*\|\s*(bash|sh)",
r"python.*-c\s+.*socket", r"base64\s+--decode", r"chmod\s+\+s\s",
r"(socat|openssl)\s+.*exec", r"crontab\s+-r",
]
def scan_crontabs():
"""Scan all crontab locations for suspicious entries."""
findings = []
for path in CRON_PATHS:
if os.path.isfile(path):
findings.extend(_scan_cron_file(path))
elif os.path.isdir(path):
for entry in os.listdir(path):
full_path = os.path.join(path, entry)
if os.path.isfile(full_path):
findings.extend(_scan_cron_file(full_path))
user_crontabs = subprocess.run(
["bash", "-c", "for u in $(cut -d: -f1 /etc/passwd); do crontab -l -u $u 2>/dev/null && echo \"__USER:$u\"; done"],
capture_output=True, text=True,
timeout=120,
)
if user_crontabs.returncode == 0:
current_user = None
for line in user_crontabs.stdout.splitlines():
if line.startswith("__USER:"):
current_user = line.split(":")[1]
elif line.strip() and not line.startswith("#") and current_user:
risk = _assess_cron_risk(line)
findings.append({
"type": "user_crontab", "user": current_user,
"command": line.strip(), "risk": risk,
"mitre": "T1053.003",
})
return findings
def _scan_cron_file(filepath):
"""Scan a single cron file for entries."""
entries = []
try:
with open(filepath) as f:
for line in f:
line = line.strip()
if line and not line.startswith("#"):
risk = _assess_cron_risk(line)
entries.append({
"type": "cron_file", "path": filepath,
"command": line, "risk": risk,
"mtime": datetime.fromtimestamp(os.path.getmtime(filepath)).isoformat(),
"mitre": "T1053.003",
})
except PermissionError:
entries.append({"type": "cron_file", "path": filepath, "error": "Permission denied"})
return entries
def _assess_cron_risk(command):
"""Assess risk level of a cron command."""
for pattern in SUSPICIOUS_PATTERNS:
if re.search(pattern, command, re.IGNORECASE):
return "critical"
if any(kw in command.lower() for kw in ["wget", "curl", "/tmp/", "base64", "chmod"]):
return "high"
return "low"
def scan_systemd_units():
"""Scan systemd service and timer units for persistence."""
findings = []
for base_path in SYSTEMD_PATHS:
if not os.path.isdir(base_path):
continue
for unit_file in glob.glob(os.path.join(base_path, "*.service")) + \
glob.glob(os.path.join(base_path, "*.timer")):
try:
stat = os.stat(unit_file)
with open(unit_file) as f:
content = f.read()
risk = "low"
exec_lines = re.findall(r"ExecStart\s*=\s*(.+)", content)
for ex in exec_lines:
if any(s in ex for s in ["/tmp/", "/dev/shm/", "curl", "wget", "bash -c"]):
risk = "high"
for pattern in SUSPICIOUS_PATTERNS:
if re.search(pattern, ex, re.IGNORECASE):
risk = "critical"
dpkg_check = subprocess.run(
["dpkg", "-S", unit_file], capture_output=True, text=True,
timeout=120,
)
package_managed = dpkg_check.returncode == 0
if not package_managed:
risk = max(risk, "medium", key=lambda x: ["low", "medium", "high", "critical"].index(x))
findings.append({
"type": "systemd_unit", "path": unit_file,
"exec_start": exec_lines, "package_managed": package_managed,
"risk": risk, "mtime": datetime.fromtimestamp(stat.st_mtime).isoformat(),
"mitre": "T1543.002",
})
except (PermissionError, FileNotFoundError):
continue
return findings
def scan_ld_preload():
"""Check for LD_PRELOAD hijacking."""
findings = []
preload_file = "/etc/ld.so.preload"
if os.path.exists(preload_file):
with open(preload_file) as f:
content = f.read().strip()
if content:
findings.append({
"type": "ld_preload_file", "path": preload_file,
"libraries": content.splitlines(), "risk": "critical",
"mitre": "T1574.006",
})
env_check = subprocess.run(["env"], capture_output=True, text=True, timeout=120)
for line in env_check.stdout.splitlines():
if line.startswith("LD_PRELOAD="):
findings.append({
"type": "ld_preload_env", "value": line.split("=", 1)[1],
"risk": "critical", "mitre": "T1574.006",
})
return findings
def scan_shell_profiles():
"""Scan shell profile files for injected commands."""
findings = []
for home_dir in glob.glob("/home/*") + ["/root"]:
for profile in SHELL_PROFILES:
filepath = os.path.join(home_dir, profile)
if not os.path.exists(filepath):
continue
try:
with open(filepath) as f:
content = f.read()
for pattern in SUSPICIOUS_PATTERNS:
matches = re.findall(pattern, content, re.IGNORECASE)
if matches:
findings.append({
"type": "shell_profile", "path": filepath,
"matched_pattern": pattern, "risk": "critical",
"mitre": "T1546.004",
})
except PermissionError:
continue
etc_profiles = glob.glob("/etc/profile.d/*.sh")
for filepath in etc_profiles:
dpkg = subprocess.run(["dpkg", "-S", filepath], capture_output=True, text=True, timeout=120)
if dpkg.returncode != 0:
findings.append({
"type": "etc_profile_d", "path": filepath,
"package_managed": False, "risk": "medium", "mitre": "T1546.004",
})
return findings
def scan_ssh_authorized_keys():
"""Audit SSH authorized_keys files for unauthorized entries."""
findings = []
for home_dir in glob.glob("/home/*") + ["/root"]:
auth_keys = os.path.join(home_dir, ".ssh", "authorized_keys")
if not os.path.exists(auth_keys):
continue
try:
with open(auth_keys) as f:
for i, line in enumerate(f, 1):
line = line.strip()
if not line or line.startswith("#"):
continue
risk = "low"
if "command=" in line:
risk = "high"
if "no-pty" not in line and "command=" in line:
risk = "critical"
findings.append({
"type": "authorized_key", "path": auth_keys,
"line_number": i, "key_snippet": line[:80] + "...",
"has_command_restriction": "command=" in line,
"risk": risk, "mitre": "T1098.004",
})
except PermissionError:
continue
return findings
def generate_report(cron, systemd, ld_preload, profiles, ssh_keys):
"""Generate persistence analysis report."""
all_findings = cron + systemd + ld_preload + profiles + ssh_keys
risk_counts = defaultdict(int)
for f in all_findings:
risk_counts[f.get("risk", "unknown")] += 1
return {
"report_time": datetime.utcnow().isoformat(),
"total_findings": len(all_findings),
"risk_summary": dict(risk_counts),
"crontab_findings": len(cron),
"systemd_findings": len(systemd),
"ld_preload_findings": len(ld_preload),
"shell_profile_findings": len(profiles),
"ssh_key_findings": len(ssh_keys),
"findings": all_findings,
}
def main():
parser = argparse.ArgumentParser(description="Linux Persistence Mechanism Analyzer")
parser.add_argument("--output", default="linux_persistence_report.json")
parser.add_argument("--scan", nargs="+", default=["all"],
choices=["all", "cron", "systemd", "ldpreload", "profiles", "ssh"])
args = parser.parse_args()
scans = set(args.scan) if "all" not in args.scan else {"cron", "systemd", "ldpreload", "profiles", "ssh"}
cron = scan_crontabs() if "cron" in scans else []
systemd = scan_systemd_units() if "systemd" in scans else []
ld_preload = scan_ld_preload() if "ldpreload" in scans else []
profiles = scan_shell_profiles() if "profiles" in scans else []
ssh_keys = scan_ssh_authorized_keys() if "ssh" in scans else []
report = generate_report(cron, systemd, ld_preload, profiles, ssh_keys)
with open(args.output, "w") as f:
json.dump(report, f, indent=2, default=str)
print(f"[+] Scanned {len(scans)} persistence categories")
print(f"[+] Found {report['total_findings']} persistence artifacts")
print(f"[+] Risk: critical={report['risk_summary'].get('critical', 0)} "
f"high={report['risk_summary'].get('high', 0)}")
print(f"[+] Report saved to {args.output}")
if __name__ == "__main__":
main()
Keep exploring