├── .github
    └── workflows
    │   └── main.yml
├── CONTRIBUTING.md
├── code-of-conduct.md
├── LICENSE
└── README.md


/.github/workflows/main.yml:
--------------------------------------------------------------------------------
 1 | name: CI
 2 | on:
 3 |   pull_request:
 4 |     branches: [main]
 5 | jobs:
 6 |   Awesome_Lint:
 7 |     runs-on: ubuntu-latest
 8 |     steps:
 9 |       - uses: actions/checkout@v2
10 |         with:
11 |           fetch-depth: 0
12 |       - run: npx awesome-lint
13 | 


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | **:wave: Don't hesitate to create a pull request, when you have something awesome to add. Someone will fix it, when it doesn't completely meet the guidelines.**
 2 | 
 3 | # :scroll: Contribution Guidelines
 4 | 
 5 | Pull requests and issues are welcome to add more awesomness! Add the link as outlined below and optionally add a corresponding section 
 6 | in the [README](https://github.com/Karneades/malware-persistence/blob/master/README.md) with more detailed information 
 7 | in the main malware persistence knowledge base repository.
 8 | 
 9 | When making a pull request, please follow these guidelines:
10 | 
11 | - Lists within each section are alphabetized
12 | - Add sections if necessary, use existing sections if possible
13 | - Clear, concise descriptions for each link, followed by a period
14 | - Use the following format: `[Item Name](homepage link) - Description.`
15 | - No duplication of tools, put them where they make the most sense
16 | - Prefer quality over quantity, only submit awesome stuff
17 | - By submitting a pull request, you agree to release your submission under
18 |   the [LICENSE](LICENSE)
19 | 
20 | :thumbsup: **Thanks!**
21 | 
22 | Please note that this project is released with a
23 | [Contributor Code of Conduct](code-of-conduct.md). By participating in this
24 | project you agree to abide by its terms.
25 | 
26 | ---
27 | 
28 | ## Updating your PR
29 | 
30 | A lot of times, making a PR adhere to the standards above can be difficult.
31 | If the maintainers notice anything that we'd like changed, we'll ask you to
32 | edit your PR before we merge it. There's no need to open a new PR, just edit
33 | the existing one. If you're not sure how to do that,
34 | [here is a guide](https://github.com/RichardLitt/knowledge/blob/master/github/amending-a-commit-guide.md)
35 | on the different ways you can update your PR so that we can merge it.
36 | 


--------------------------------------------------------------------------------
/code-of-conduct.md:
--------------------------------------------------------------------------------
 1 | # Contributor Covenant Code of Conduct
 2 | 
 3 | ## Our Pledge
 4 | 
 5 | In the interest of fostering an open and welcoming environment, we as
 6 | contributors and maintainers pledge to making participation in our project and
 7 | our community a harassment-free experience for everyone, regardless of age, body
 8 | size, disability, ethnicity, gender identity and expression, level of experience,
 9 | nationality, personal appearance, race, religion, or sexual identity and
10 | orientation.
11 | 
12 | ## Our Standards
13 | 
14 | Examples of behavior that contributes to creating a positive environment
15 | include:
16 | 
17 | * Using welcoming and inclusive language
18 | * Being respectful of differing viewpoints and experiences
19 | * Gracefully accepting constructive criticism
20 | * Focusing on what is best for the community
21 | * Showing empathy towards other community members
22 | 
23 | Examples of unacceptable behavior by participants include:
24 | 
25 | * The use of sexualized language or imagery and unwelcome sexual attention or
26 | advances
27 | * Trolling, insulting/derogatory comments, and personal or political attacks
28 | * Public or private harassment
29 | * Publishing others' private information, such as a physical or electronic
30 |   address, without explicit permission
31 | * Other conduct which could reasonably be considered inappropriate in a
32 |   professional setting
33 | 
34 | ## Our Responsibilities
35 | 
36 | Project maintainers are responsible for clarifying the standards of acceptable
37 | behavior and are expected to take appropriate and fair corrective action in
38 | response to any instances of unacceptable behavior.
39 | 
40 | Project maintainers have the right and responsibility to remove, edit, or
41 | reject comments, commits, code, wiki edits, issues, and other contributions
42 | that are not aligned to this Code of Conduct, or to ban temporarily or
43 | permanently any contributor for other behaviors that they deem inappropriate,
44 | threatening, offensive, or harmful.
45 | 
46 | ## Scope
47 | 
48 | This Code of Conduct applies both within project spaces and in public spaces
49 | when an individual is representing the project or its community. Examples of
50 | representing a project or community include using an official project e-mail
51 | address, posting via an official social media account, or acting as an appointed
52 | representative at an online or offline event. Representation of a project may be
53 | further defined and clarified by project maintainers.
54 | 
55 | ## Enforcement
56 | 
57 | Instances of abusive, harassing, or otherwise unacceptable behavior may be
58 | reported by contacting the project team at <%= email %>. All
59 | complaints will be reviewed and investigated and will result in a response that
60 | is deemed necessary and appropriate to the circumstances. The project team is
61 | obligated to maintain confidentiality with regard to the reporter of an incident.
62 | Further details of specific enforcement policies may be posted separately.
63 | 
64 | Project maintainers who do not follow or enforce the Code of Conduct in good
65 | faith may face temporary or permanent repercussions as determined by other
66 | members of the project's leadership.
67 | 
68 | ## Attribution
69 | 
70 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
71 | available at [http://contributor-covenant.org/version/1/4][version]
72 | 
73 | [homepage]: http://contributor-covenant.org
74 | [version]: http://contributor-covenant.org/version/1/4/
75 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 | Creative Commons Legal Code
  2 | 
  3 | CC0 1.0 Universal
  4 | 
  5 |     CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
  6 |     LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
  7 |     ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
  8 |     INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
  9 |     REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
 10 |     PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
 11 |     THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
 12 |     HEREUNDER.
 13 | 
 14 | Statement of Purpose
 15 | 
 16 | The laws of most jurisdictions throughout the world automatically confer
 17 | exclusive Copyright and Related Rights (defined below) upon the creator
 18 | and subsequent owner(s) (each and all, an "owner") of an original work of
 19 | authorship and/or a database (each, a "Work").
 20 | 
 21 | Certain owners wish to permanently relinquish those rights to a Work for
 22 | the purpose of contributing to a commons of creative, cultural and
 23 | scientific works ("Commons") that the public can reliably and without fear
 24 | of later claims of infringement build upon, modify, incorporate in other
 25 | works, reuse and redistribute as freely as possible in any form whatsoever
 26 | and for any purposes, including without limitation commercial purposes.
 27 | These owners may contribute to the Commons to promote the ideal of a free
 28 | culture and the further production of creative, cultural and scientific
 29 | works, or to gain reputation or greater distribution for their Work in
 30 | part through the use and efforts of others.
 31 | 
 32 | For these and/or other purposes and motivations, and without any
 33 | expectation of additional consideration or compensation, the person
 34 | associating CC0 with a Work (the "Affirmer"), to the extent that he or she
 35 | is an owner of Copyright and Related Rights in the Work, voluntarily
 36 | elects to apply CC0 to the Work and publicly distribute the Work under its
 37 | terms, with knowledge of his or her Copyright and Related Rights in the
 38 | Work and the meaning and intended legal effect of CC0 on those rights.
 39 | 
 40 | 1. Copyright and Related Rights. A Work made available under CC0 may be
 41 | protected by copyright and related or neighboring rights ("Copyright and
 42 | Related Rights"). Copyright and Related Rights include, but are not
 43 | limited to, the following:
 44 | 
 45 |   i. the right to reproduce, adapt, distribute, perform, display,
 46 |      communicate, and translate a Work;
 47 |  ii. moral rights retained by the original author(s) and/or performer(s);
 48 | iii. publicity and privacy rights pertaining to a person's image or
 49 |      likeness depicted in a Work;
 50 |  iv. rights protecting against unfair competition in regards to a Work,
 51 |      subject to the limitations in paragraph 4(a), below;
 52 |   v. rights protecting the extraction, dissemination, use and reuse of data
 53 |      in a Work;
 54 |  vi. database rights (such as those arising under Directive 96/9/EC of the
 55 |      European Parliament and of the Council of 11 March 1996 on the legal
 56 |      protection of databases, and under any national implementation
 57 |      thereof, including any amended or successor version of such
 58 |      directive); and
 59 | vii. other similar, equivalent or corresponding rights throughout the
 60 |      world based on applicable law or treaty, and any national
 61 |      implementations thereof.
 62 | 
 63 | 2. Waiver. To the greatest extent permitted by, but not in contravention
 64 | of, applicable law, Affirmer hereby overtly, fully, permanently,
 65 | irrevocably and unconditionally waives, abandons, and surrenders all of
 66 | Affirmer's Copyright and Related Rights and associated claims and causes
 67 | of action, whether now known or unknown (including existing as well as
 68 | future claims and causes of action), in the Work (i) in all territories
 69 | worldwide, (ii) for the maximum duration provided by applicable law or
 70 | treaty (including future time extensions), (iii) in any current or future
 71 | medium and for any number of copies, and (iv) for any purpose whatsoever,
 72 | including without limitation commercial, advertising or promotional
 73 | purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
 74 | member of the public at large and to the detriment of Affirmer's heirs and
 75 | successors, fully intending that such Waiver shall not be subject to
 76 | revocation, rescission, cancellation, termination, or any other legal or
 77 | equitable action to disrupt the quiet enjoyment of the Work by the public
 78 | as contemplated by Affirmer's express Statement of Purpose.
 79 | 
 80 | 3. Public License Fallback. Should any part of the Waiver for any reason
 81 | be judged legally invalid or ineffective under applicable law, then the
 82 | Waiver shall be preserved to the maximum extent permitted taking into
 83 | account Affirmer's express Statement of Purpose. In addition, to the
 84 | extent the Waiver is so judged Affirmer hereby grants to each affected
 85 | person a royalty-free, non transferable, non sublicensable, non exclusive,
 86 | irrevocable and unconditional license to exercise Affirmer's Copyright and
 87 | Related Rights in the Work (i) in all territories worldwide, (ii) for the
 88 | maximum duration provided by applicable law or treaty (including future
 89 | time extensions), (iii) in any current or future medium and for any number
 90 | of copies, and (iv) for any purpose whatsoever, including without
 91 | limitation commercial, advertising or promotional purposes (the
 92 | "License"). The License shall be deemed effective as of the date CC0 was
 93 | applied by Affirmer to the Work. Should any part of the License for any
 94 | reason be judged legally invalid or ineffective under applicable law, such
 95 | partial invalidity or ineffectiveness shall not invalidate the remainder
 96 | of the License, and in such case Affirmer hereby affirms that he or she
 97 | will not (i) exercise any of his or her remaining Copyright and Related
 98 | Rights in the Work or (ii) assert any associated claims and causes of
 99 | action with respect to the Work, in either case contrary to Affirmer's
100 | express Statement of Purpose.
101 | 
102 | 4. Limitations and Disclaimers.
103 | 
104 |  a. No trademark or patent rights held by Affirmer are waived, abandoned,
105 |     surrendered, licensed or otherwise affected by this document.
106 |  b. Affirmer offers the Work as-is and makes no representations or
107 |     warranties of any kind concerning the Work, express, implied,
108 |     statutory or otherwise, including without limitation warranties of
109 |     title, merchantability, fitness for a particular purpose, non
110 |     infringement, or the absence of latent or other defects, accuracy, or
111 |     the present or absence of errors, whether or not discoverable, all to
112 |     the greatest extent permissible under applicable law.
113 |  c. Affirmer disclaims responsibility for clearing rights of other persons
114 |     that may apply to the Work or any use thereof, including without
115 |     limitation any person's Copyright and Related Rights in the Work.
116 |     Further, Affirmer disclaims responsibility for obtaining any necessary
117 |     consents, permissions or other rights required for any use of the
118 |     Work.
119 |  d. Affirmer understands and acknowledges that Creative Commons is not a
120 |     party to this document and has no duty or obligation with respect to
121 |     this CC0 or use of the Work.
122 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Awesome Malware Persistence [![Awesome](https://awesome.re/badge.svg)](https://github.com/sindresorhus/awesome)
  2 | 
  3 | > A curated list of awesome malware persistence tools and resources.
  4 | 
  5 | Malware persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.
  6 | 
  7 | [Main article about malware persistence](https://github.com/Karneades/malware-persistence/blob/master/README.md) with more context and information.
  8 | 
  9 | ## Contents
 10 | 
 11 | * [Techniques](#techniques)
 12 |     * [Generic](#generic)
 13 |     * [Linux](#linux)
 14 |     * [macOS](#macos)
 15 |     * [Windows](#windows)
 16 |     * [Cloud](#cloud)
 17 |     * [Firmware](#firmware)
 18 |     * [Databases](#databases)
 19 | * [Persistence Removal](#persistence-removal)
 20 |     * [Generic](#generic-1)
 21 |     * [Windows](#windows-1)
 22 | * [Detection Testing](#detection-testing)
 23 |     * [Generic](#generic-2)
 24 |     * [Linux](#linux-1)
 25 |     * [macOS](#macos-1)
 26 |     * [Windows](#windows-2)
 27 | * [Prevention](#prevention)
 28 |     * [macOS](#macos-2)
 29 | * [Collection](#collection)
 30 |     * [Generic](#generic-3)
 31 |     * [Linux](#linux-2)
 32 |     * [macOS](#macos-3)
 33 |     * [Windows](#windows-3)
 34 | 
 35 | ## Techniques
 36 | 
 37 | _Persistence techniques and detection._
 38 | 
 39 | ### Generic
 40 | 
 41 | * [MITRE ATT&CK tactic "TA0003 - Persistence"](https://attack.mitre.org/tactics/TA0003/) - Persistence tactic information in the MITRE ATT&CK framework.
 42 | * [Forensic Artifact repository](https://github.com/ForensicArtifacts/artifacts) - A free, community-sourced, machine-readable knowledge base of digital forensic artifacts.
 43 | * [Sigma rules](https://github.com/Neo23x0/sigma/tree/master/rules) - Repository of detection rules, covering persistence techniques as well. You can even use filters such as `--filter tag=attack.persistence` or specifically for one technique `tag=attack.t1084`.
 44 | 
 45 | ### Linux
 46 | 
 47 | * [Linux Malware Persistence with Cron](https://www.sandflysecurity.com/blog/linux-malware-persistence-with-cron/) - Blog post about Linux persistence using cron jobs.
 48 | * [Linux Persistence Techniques](https://research.splunk.com/stories/linux_persistence_techniques/) - List of persistence techniques.
 49 | * [Linux Red Team Persistence Techniques](https://www.linode.com/docs/guides/linux-red-team-persistence-techniques/) - List of persistence techniques.
 50 | * [PANIX - Persistence Against *NIX - Features](https://github.com/Aegrah/PANIX?tab=readme-ov-file#features) - List of persistence techniques.
 51 | * [Linux Detection Engineering -  A primer on persistence mechanisms](https://www.elastic.co/security-labs/primer-on-persistence-mechanisms) - List of Linux persistence mechanisms.
 52 | * [ebpfkit](https://github.com/Gui774ume/ebpfkit) - Rootkit leveraging eBPF.
 53 | * [TripleCross](https://github.com/h3xduck/TripleCross) - Rootkit leveraging eBPF.
 54 | * [Linux LKM Persistence](https://righteousit.com/2024/11/18/linux-lkm-persistence/) - Rootkit leveraging Linux loadable kernel module (LKM).
 55 | 
 56 | ### macOS
 57 | 
 58 | * [theevilbit's series "Beyond the good ol' LaunchAgents"](https://theevilbit.github.io/tags/beyond/) - List of macOS persistence beyond just the LaunchDaemons or LaunchAgents.
 59 | * [KnockKnock](https://github.com/objective-see/KnockKnock/blob/main/Plugins) - A persistence detection tool for macOS to scan for persistence mechanisms on macOS. Specific persistence locations are found in the [plugins](https://github.com/objective-see/KnockKnock/tree/main/Plugins) folder, e.g. [LaunchItems](https://github.com/objective-see/KnockKnock/blob/main/Plugins/LaunchItems.m#L21) or [StartupScripts](https://github.com/objective-see/KnockKnock/blob/main/Plugins/StartupScripts.m#L22).
 60 | * [PoisonApple](https://github.com/CyborgSecurity/PoisonApple/blob/master/poisonapple/techniques.py) - Learn about various macOS persistence techniques by looking at the source code of PoisonApple.
 61 | * [How malware persists on macOS](https://www.sentinelone.com/blog/how-malware-persists-on-macos/) - List of macOS persistence mechanisms.
 62 | 
 63 | ### Windows
 64 | 
 65 | * [Hexacorn's blog](http://www.hexacorn.com/blog/category/autostart-persistence/) - Blog series "Beyond good ol' Run key" covering a lot of Windows persistence mechanisms.
 66 | * [Autoruns](https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns) - You can learn which Windows persistence mechanisms are checked by looking at the output of Autoruns on your own client. Categories and the different locations where things were found are seen in the output. A disassembly of Autoruns lists a subset of the entries which are scanned.
 67 | * [PowerShell implementation of Autoruns](https://github.com/p0w3rsh3ll/AutoRuns/blob/master/AutoRuns.psm1) - Another way to find Windows persistence locations is to look at the source code of the PowerShell version of Autoruns. Bonus: A history of the covered persistence locations for each Autoruns version is found at the end of the module file too, which is so awesome!
 68 | * [Common malware persistence mechanisms](https://resources.infosecinstitute.com/common-malware-persistence-mechanisms/) - Different persistence mechanisms for different vectors are described.
 69 | * [Malware persistence techniques](https://www.andreafortuna.org/2017/07/06/malware-persistence-techniques/) - Good summary of multiple persistence mechanisms, ranging from multiple registry keys to more advanced one, like COM hijacking.
 70 | * [Detecting & Removing an Attacker's WMI Persistence](https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96) - Blog post about detecting and removing WMI persistence.
 71 | * [Windows Persistence using WinLogon](https://www.hackingarticles.in/windows-persistence-using-winlogon/) - Blog post about abusing WinLogon.
 72 | * [Untangling Kovter's persistence methods](https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/) - Blog post about Kovter's persistens methos, among others, hiding in registry. Another one is [Threat Spotlight: Kovter Malware Fileless Persistence Mechanism](https://threatvector.cylance.com/en_us/home/threat-spotlight-kovter-malware-fileless-persistence-mechanism.html).
 73 | * [Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe](https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/) - Blog post about abusing GlobalFlag for process execution.
 74 | * [Uncovering a MyKings Variant With Bootloader Persistence via Managed Detection and Response](https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-a-mykings-variant-with-bootloader-persistence-via-managed-detection-and-response/) - Blog post about bootloader persistence.
 75 | * Various blog posts about COM/CLSID hijacking
 76 |   * [COM Object hijacking: the discreet way of persistence, 2014](https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence)
 77 |   * [Persistence – COM Hijacking, 2020](https://pentestlab.blog/2020/05/20/persistence-com-hijacking/)
 78 |   * [Abusing COM hijacking in combination with scheduled tasks, 2016](https://enigma0x3.net/2016/05/25/userland-persistence-with-scheduled-tasks-and-com-handler-hijacking/)
 79 | * [Hunting for persistence via Microsoft Exchange Server or Outlook](https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook) - Blog post about Microsoft Exchange server persistence.
 80 | 
 81 | ### Cloud
 82 | 
 83 | * [Shadow Linking: The Persistence Vector of SaaS Identity Threat](https://www.obsidiansecurity.com/blog/shadow-linking-the-persistence-vector-of-saas-identity-threat/) - Abuse of additional identity providers to persist in an environment.
 84 | * [Persisting on Entra ID applications and User Managed Identities with Federated Credentials](https://dirkjanm.io/persisting-with-federated-credentials-entra-apps-managed-identities/) - Persist on Entra ID applications and User Managed Identities with Federated Credentials.
 85 | * [AWSDoor: Persistence on AWS](https://github.com/OtterHacker/AWSDoor) - Access persistence tool for AWS. The [corresponding article](https://www.riskinsight-wavestone.com/en/2025/09/awsdoor-persistence-on-aws/) describes the techniques adversaries can use to hide themselves within a cloud environment and its AWSDoor implementation to simplify and automate the deployment of persistence techniques in AWS environments.
 86 | 
 87 | ### Firmware
 88 | 
 89 | * [MoonBounce: the dark side of UEFI firmware](https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468) - An in-depth write up about one particular UEFI bootkit.
 90 | 
 91 | ### Databases
 92 | 
 93 | * [Database Triggers as Persistence Mechanisms](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-attack-vector-database-triggers-as-persistence-mechanisms/) - An in-depth write up about database triggers providing persistence.
 94 | 
 95 | ## Persistence Removal
 96 | 
 97 | _Tools and commands for persistence mechanisms removal. Beside the tools mentioned below, use standard OS commands to remove the persistence._
 98 | 
 99 | ### Generic
100 | * [Awesome Incident Response](https://github.com/meirwah/awesome-incident-response) - Use the tools and resources for security incident response, aimed to help security analysts and DFIR teams.
101 | 
102 | ### Windows
103 | 
104 | * [PowerSponse](https://github.com/swisscom/PowerSponse) - A incident response tool covering various commands for cleanup of persistence mechanisms as well.
105 | * [Removing Backdoors – Powershell Empire Edition](https://www.n00py.io/2017/01/removing-backdoors-powershell-empire-edition/) - Various blog posts handle the removal of WMI implants.
106 | * [RegDelNull](https://docs.microsoft.com/en-us/sysinternals/downloads/regdelnull) - Removal of registry keys with null bytes - used e.g. in run keys for evasion.
107 | 
108 | ## Detection Testing
109 | 
110 | _Tools for testing detections. Use the techniques described in [Persistence Techniques](#persistence-techniques) to create these files or add the configuration changes by hand to test your detections._
111 | 
112 | ### Generic
113 | 
114 | * [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team) - A red team attack techniques framework supporting also the MITRE ATT&CK persistence techniques, see e.g. [T1044 "File System Permissions Weakness"](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1044/T1044.yaml).
115 | 
116 | ### Linux
117 | 
118 | * [PANIX](https://github.com/Aegrah/PANIX) - A highly customizable Linux persistence tool. Perform various persistence techniques against Linux systems, among others Debian and RHEL.
119 | * [Diamorphine](https://github.com/m0nad/Diamorphine) -  A loadable kernel module (LKM) rootkit for Linux Kernels (x86/x86_64 and ARM64).
120 | 
121 | ### macOS
122 | 
123 | * [PoisonApple](https://github.com/CyborgSecurity/PoisonApple) - Perform various persistence techniques on macOS.
124 | 
125 | ### Windows
126 | 
127 | * [hasherezade persistence demos](https://github.com/hasherezade/persistence_demos) - Various (also non standard) persistence methods used by malware for testing own detection, among others COM hijacking demo is found in the repo.
128 | 
129 | ## Prevention
130 | 
131 | _Tools for preventing malicious persistence._
132 | 
133 | ### macOS
134 | 
135 | * [BlockBlock](https://github.com/objective-see/BlockBlock) - A tool which provides continual protection by monitoring persistence locations and protects them accordingly. Similar to KnockKnock but for blocking.
136 | 
137 | ## Collection
138 | 
139 | _Tools for persistence collection._
140 | 
141 | ### Generic
142 | 
143 | * [Awesome Forensics](https://github.com/Cugu/awesome-forensics) - Use the tools from this list which includes awesome free (mostly open source) forensic analysis tools and resources. They help collecting the persistence mechanisms at scale, e.g. by using remote forensics tools.
144 | * [osquery](https://osquery.readthedocs.io) - Query persistence mechanisms on clients.
145 | * [OSSEC](https://github.com/ossec/ossec-hids) - Use rules and logs from the HIDS to detection configuration changes.
146 | 
147 | ### Linux
148 | 
149 | _There is no dedicated persistence collection tool for Linux I'm aware of. Use some of the tools from #General or standard OS commands for collection. Thanks for contributing links to Linux specific persistence collection tools._
150 | 
151 | * [Linux Security and Monitoring Scripts](https://github.com/sqall01/LSMS) - Security and monitoring scripts you can use to monitor your Linux installation for security-related events or for an investigation. Among other finding systemd unit files used for malware persistence.
152 | 
153 | ### macOS
154 | 
155 | * [KnockKnock](https://www.objective-see.com/products/knockknock.html) - A tool to uncover persistently installed software in order to generically reveal such malware. See [GitHub repository too for the source code](https://github.com/objective-see/KnockKnock).
156 | * [Dylib Hijack Scanner or DHS](https://www.objective-see.com/products/dhs.html) - A simple utility that will scan your computer for applications that are either susceptible to dylib hijacking or have been hijacked. See [GitHub repository too for the source code](https://github.com/objective-see/DylibHijackScanner).
157 | 
158 | ### Windows
159 | 
160 | * [Autoruns](http://technet.microsoft.com/en-us/sysinternals/bb963902) - A powerful persistence collection tool on Windows is Autoruns. It collects different categories and persistence information from a live system and [in
161 |   limited ways from offline images](https://www.sans.org/blog/offline-autoruns-revisited-auditing-malware-persistence/). There is a UI and a command line program and the output format can be set to CSV which can then be imported into your log collection system of choice.
162 | * [AutorunsToWinEventLog.ps1](https://github.com/palantir/windows-event-forwarding/blob/master/AutorunsToWinEventLog/AutorunsToWinEventLog.ps1) - Instead of using CSV output and copy these file to the server, you can use the AutorunsToWinEventLog script to convert the Autoruns output to Windows event logs and rely on standard Windows event log forwarding.
163 | * [PowerShell Autoruns](https://github.com/p0w3rsh3ll/AutoRuns) - A PowerShell version of Autoruns.
164 | * [PersistenceSniper](https://github.com/last-byte/PersistenceSniper) - Powershell module to hunt for persistence implanted in Windows machines.
165 | * [RegRipper](https://github.com/keydet89/RegRipper2.8) - Extracts various persistence mechanisms from the registry files directly.
166 | * [RECmd](https://github.com/EricZimmerman/RECmd) - Extract various persistence mechanisms, e.g. by using the config file [UserClassesASEPs](https://github.com/EricZimmerman/RECmd/blob/master/BatchExamples/UserClassesASEPs.reb) to extract user's CLSID information.
167 | * [KAPE](https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape) - The tool allows collecting various predefined artifactgs using targets and modules, see [KapeFiles](https://github.com/EricZimmerman/KapeFiles) which include persistence mechanisms, among others there's a collection of [LNK files](https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Windows/LNKFilesAndJumpLists.tkape), [scheduled task files](https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Windows/ScheduledTasks.tkape) and [scheduled task listing](https://github.com/EricZimmerman/KapeFiles/blob/master/Modules/LiveResponse/schtasks.mkape) or a [WMI repository auditing](https://github.com/EricZimmerman/KapeFiles/blob/master/Modules/LiveResponse/WMI-Repository-Auditing.mkape) module.
168 | 
169 | ## Contributing
170 | 
171 | Contributions welcome! Read the [contribution guidelines](CONTRIBUTING.md) first.
172 | 


--------------------------------------------------------------------------------