PyrsistenceSniper – Open-Source Tool Detects 117 Persistence Techniques Across Windows, Linux, and macOS
Hexastrike released PyrsistenceSniper, an open-source Python tool that detects 117 persistence mechanisms across Windows, Linux, and macOS by scanning offline disk images and forensic collections.
Hexastrike has released PyrsistenceSniper, an open-source Python tool designed to detect 117 distinct persistence mechanisms across Windows, Linux, and macOS platforms. The tool enables cybersecurity analysts to rapidly triage forensic collections without requiring live system access, making it a valuable addition to incident response arsenals.
PyrsistenceSniper runs directly against mounted disk images, Velociraptor collections, and KAPE dumps. It leverages the libregf library to parse registry hives natively, allowing comprehensive scans of heavily used systems in under thirty seconds. The tool supports standalone artifact scanning for isolated files like NTUSER.DAT or the SYSTEM hive, which is particularly useful when full directory structures are unavailable.
Each finding is automatically enriched with file existence checks, SHA-256 hashes, and known LOLBin classifications to streamline the incident response process. Analysts can leverage signature-based filtering to validate Authenticode signatures and separate actual malicious persistence from default operating system noise. The command-line interface provides detailed terminal output that visually flags anomalies based on recognized MITRE ATT&CK techniques.
PyrsistenceSniper supports YAML-based detection profiles to customize allow and block rules either globally or per individual check. The system prioritizes block rules, automatically categorizing matches as high severity while filtering out known-good entities like Microsoft-signed binaries. This targeted suppression mechanism eliminates redundant alerts, often reducing total output volume by up to ninety percent during forensic analysis.
The tool's persistence checks are aligned with nine distinct MITRE ATT&CK techniques, including T1037 (Boot and Logon Initialization), T1053 (Scheduled Task/Job), T1543 (System Process Modification), T1546 (Event Triggered Execution), and T1547 (Boot/Logon Autostart). This ensures standardized threat reporting across compromised environments.
Forensic investigators can export findings into console, CSV, HTML, and XLSX formats. Recent updates introduced interactive HTML reports that allow defenders to dynamically filter and sort severity ratings. Incident response teams frequently use the CSV and XLSX outputs to stack anomalous indicators across multiple compromised systems simultaneously.
Security engineers can install PyrsistenceSniper directly from the Python Package Index or compile it from the official source code. The development team also provides an official Docker container, enabling analysts to scan triage collections without configuring local Python environments or system dependencies. This containerized approach is frequently used to export full HTML reports and CSV files dynamically during active incident response engagements.