Project

persistence-detector

0.0
The project is in a healthy, maintained state
persistence-detectorbluesentinelsec/persistence-detectorHomepageDocumentationSource CodeBug TrackerWiki
Many programs run automatically at system startup. We call these persistent auto-start executables. While persistent executables can be useful, they can also be used by malware to maintain long term access to a compromised system. Persistence Detector is a tool for detecting persistent auto-start programs on Windows, MacOS, and Linux. This information empowers users to identify, detect, and remove unwanted persistent programs from their systems.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
730
Stars
1
Forks
0
Watchers
1
 Releases
Current version
0.1.1
Total releases
2
First release
2023-05-20
Latest release
2023-05-20
 Development
Primary Language
Ruby
Licenses
GPL-3.0-only
Average date of last 50 commits
2023-05-18
Reverse Dependencies
0

 Dependencies

Runtime

colorize
~> 0.8.1
logger
~> 1.5.3
optparse
~> 0.3.1
 Project Readme

persistence-detector

Many programs run automatically at system startup.

We call these persistent auto-start executables.

While persistent executables can be useful, they can also be used by malware to maintain long term access to a compromised system.

Persistence Detector is a tool for detecting persistent auto-start programs on Windows, MacOS, and Linux.

This information empowers users to identify, detect, and remove unwanted persistent programs from their systems.

Prerequisites

Installation

Install from RubyGems.org:

gem install persistence-detector

Build from source:

git clone https://github.com/bluesentinelsec/persistence-detector

cd persistence-detector

bundle install

./bin/persistence-detector --help

Usage

# 1. Scan system against all persistence TTPs applicable to the host platform:
    persistence-detector

# 2. View available persistence detectors:
    persistence-detector --list

# 3. Scan for a specific persistence TTP (Scheduled Task/Job: Cron):
    persistence-detector --detect T1053.003

4. Enable verbose console logging
    persistence-detector -v

Future Work

This program was created in 5 days as part of Dakota State University's CSC 842 Security Tool Development class.

Due to the constrained timeline, we could not implement nearly the features we would have liked.

That said, if time permits, the following features would be pursued:

  • Add unit tests and CI/CD
  • Simplify OS/platform detection
  • Output findings in a standard schema for all detectors
  • Continue adding persistence detectors for parity with ATT&CK
  • Multiple output formats (formatted console, YAML, XML, CSV)
  • Add confidence and risk scores
  • Diff analysis
  • Check auto start programs against VirusTotal
  • Upload results via HTTP POST or AWS S3