This script is aimed at aiding an investigator at finding possible signs of malicious persistent access on a system. The methods and output are defined below.
Will McDonnell - [email protected]
Michael Milkovich - [email protected]
pip3 install -r requirements.txt
Requires sudo to access all files for persistence detection
sudo python3 persistence.py
Two files will be created after successful execution of the script
- report.txt
- user_bash.zip
Hidden executable - any files on the system that are both hidden (start with '.') and are marked as executable by a user (https://attack.mitre.org/techniques/T1158/)
Setuid files - any files with a setuid bit on. This will allow any user to run the executable as the owner (https://attack.mitre.org/techniques/T1166/)
Setgid directories - any directories with setgid bit on. File is run with permissions of the group (https://attack.mitre.org/techniques/T1166/)
https://attack.mitre.org/techniques/T1098/
Scheduled tasks - list of crontab info. Can find any persistence mechanism with scheduled tasks (https://attack.mitre.org/techniques/T1168/)
Chrome extensions - if applicable, will list ID or name (if possible) of chrome extension (https://attack.mitre.org/techniques/T1176/)
Group membership (https://attack.mitre.org/techniques/T1098/)
Active sessions - validate all current logged in users
All users' bashrc and bash_profile files will be added to a zip file to be manually inspected for any malicious modification (https://attack.mitre.org/techniques/T1156/)
For a comprehensive list of persistence techniques, see https://attack.mitre.org/