raj3shp

raj3shp / persisthunt

Public

Linux Persistence Detection, Hunting and Arftifact Collection script

detection-engineering incident-response linux security-tools
18
1
89% credibility
Found May 24, 2026 at 19 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
Shell
AI Summary

Persisthunt is a free security tool that scans Linux computers for signs that an attacker has secretly set up backdoors or hidden ways to maintain access. It checks over 25 different persistence techniques commonly used by attackers, from suspicious scheduled tasks to hidden processes. The tool organizes its findings into three levels of concern—high-confidence warnings that definitely need attention, low-confidence warnings worth investigating, and informational findings for manual review. It's designed for system administrators, security researchers, and anyone who wants to proactively check their Linux systems for compromise.

How It Works

1
🔍 You hear about a security checkup tool

A colleague mentions a script that can scan your Linux system for hidden backdoors and suspicious persistence mechanisms that attackers might leave behind.

2
🛡️ You learn what it checks for

The tool looks for over 25 different signs that someone might have secretly set up shop on your system, from hidden processes to suspicious scheduled tasks.

3
You run the scan on your system

With a simple command, the script thoroughly examines your system while you grab a coffee, checking everything from startup scripts to network connections.

4
You receive your security report
🚨
High-confidence warnings

Clear red flags that definitely need investigation, like active hidden connections or modified system files

⚠️
Low-confidence warnings

Things worth noting but requiring more investigation, like recently changed files

📋
Informational findings

A complete inventory of your system's startup configurations for your own review

5
🔎 You investigate any suspicious findings

Each warning includes details about what triggered it, helping you understand if it's a real threat or just normal system activity.

You know your system is secure

With a clear picture of your system's security state, you can sleep better knowing you've checked for the most common persistence techniques attackers use.

Sign up to see the full architecture

4 more

Sign Up Free

Star Growth

See how this repo grew from 19 to 18 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is persisthunt?

Persisthunt is a Bash script that hunts for Linux persistence mechanisms and collects forensic artifacts during incident response. It scans system locations like cron jobs, systemd services, init scripts, shell profiles, and hidden files to identify suspicious patterns commonly used by attackers to maintain foothold on compromised systems. The tool categorizes findings into High, Low, and Informational severity levels, flagging things like active reverse shells, SUID world-writable binaries, hidden processes, and systemd units referencing /tmp or suspicious network tools.

Why is it gaining traction?

This script distills years of Linux forensics knowledge into a single executable you can drop on any system. It covers both obvious persistence vectors (cron, systemd) and advanced techniques like eBPF backdoors, rootkit-hidden processes, LD_PRELOAD abuse, and Python .pth file persistence. Running it remotely over SSH produces a log file that can be fed directly to an LLM for triage, which is exactly how modern threat hunting workflows are evolving. The keyword-based detection approach is simple but effective—you get visibility without complex dependencies.

Who should use this?

Incident responders and SOC analysts hunting for persistence on compromised Linux hosts will find this most useful. System administrators running security audits on production servers will appreciate the broad coverage. Red teamers can use it to validate whether their persistence techniques would be caught. This is a defensive tool, not a monitoring agent—it excels when you need a quick snapshot of a system's persistence landscape.

Verdict

Persisthunt is a focused, practical forensics script with impressive MITRE ATT&CK coverage, but the 18-star count and 0.899% credibility score signal it's early-stage and community validation is minimal. Use it as a starting point for your forensics toolkit, but validate findings manually and extend the keyword lists for your environment before relying on it in production incident response.

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.