awesome-malware-persistence
github.com/karneades/awesome-malware-persistence ↗A curated list of awesome malware persistence tools and resources.
Use this list with your AI agent
Add the Context Awesome MCP server to Claude, Cursor, or any MCP client, then ask:
"Show me windows resources from awesome-malware-persistence"
Installation instructions →What's inside
Techniques
- Abusing COM hijacking in combination with scheduled tasks, 2016Windows
- AutorunsWindows
You can learn which Windows persistence mechanisms are checked by looking at the output of Autoruns on your own client. Categories and the different locations where things were found are seen in the output. A disassembly of Autoruns lists a subset of the entries which are scanned.
- AWSDoor: Persistence on AWSCloud
Access persistence tool for AWS. The
- Common malware persistence mechanismsWindows
Different persistence mechanisms for different vectors are described.
- COM Object hijacking: the discreet way of persistence, 2014Windows
- Database Triggers as Persistence MechanismsDatabases
An in-depth write up about database triggers providing persistence.
Detection Testing
- Atomic Red TeamGeneric
A red team attack techniques framework supporting also the MITRE ATT&CK persistence techniques, see e.g.
- DiamorphineLinux
A loadable kernel module (LKM) rootkit for Linux Kernels (x86/x86_64 and ARM64).
- hasherezade persistence demosWindows
Various (also non standard) persistence methods used by malware for testing own detection, among others COM hijacking demo is found in the repo.
- PANIXLinux
A highly customizable Linux persistence tool. Perform various persistence techniques against Linux systems, among others Debian and RHEL.
- PoisonApplemacOS
Perform various persistence techniques on macOS.
Collection
- AutorunsWindows
A powerful persistence collection tool on Windows is Autoruns. It collects different categories and persistence information from a live system and
- AutorunsToWinEventLog.ps1Windows
Instead of using CSV output and copy these file to the server, you can use the AutorunsToWinEventLog script to convert the Autoruns output to Windows event logs and rely on standard Windows event log forwarding.
- Awesome ForensicsGeneric
Use the tools from this list which includes awesome free (mostly open source) forensic analysis tools and resources. They help collecting the persistence mechanisms at scale, e.g. by using remote forensics tools.
- Dylib Hijack Scanner or DHSmacOS
A simple utility that will scan your computer for applications that are either susceptible to dylib hijacking or have been hijacked. See
- KAPEWindows
The tool allows collecting various predefined artifactgs using targets and modules, see
- KnockKnockmacOS
A tool to uncover persistently installed software in order to generically reveal such malware. See
Persistence Removal
- Awesome Incident ResponseGeneric
Use the tools and resources for security incident response, aimed to help security analysts and DFIR teams.
- PowerSponseWindows
A incident response tool covering various commands for cleanup of persistence mechanisms as well.
- RegDelNullWindows
Removal of registry keys with null bytes - used e.g. in run keys for evasion.
- Removing Backdoors – Powershell Empire EditionWindows
Various blog posts handle the removal of WMI implants.
Prevention
- BlockBlockmacOS
A tool which provides continual protection by monitoring persistence locations and protects them accordingly. Similar to KnockKnock but for blocking.
Showing a sample of 58 resources. View the full list on GitHub →