Post

PyrsistenceSniper Advanced Tool for Detecting Malware Techniques

Posted
By ictsec.pl
1 min read
PyrsistenceSniper Advanced Tool for Detecting Malware Techniques

PyrsistenceSniper: Advanced Tool for Detecting Malware Techniques

🚀 PyrsistenceSniper is an advanced tool designed to detect offline persistence, enabling cybersecurity analysts to identify 117 separate persistence mechanisms across Windows, Linux, and macOS platforms. Originally inspired by Autoruns and PersistenceSniper, this Python-based solution developed by Hexastrike allows for rapid triage of forensic collections without requiring live system access.

According to the Hexastrike GitHub repository, PyrsistenceSniper runs directly against mounted disk images, Velociraptor collections, and KAPE dumps. The tool utilizes the libregf library to parse registry hives natively, allowing it to complete comprehensive scans of heavily used systems in under thirty seconds. Security researchers report that PyrsistenceSniper supports standalone artifact scanning for isolated files like NTUSER.DAT or the SYSTEM hive, which is particularly useful when full directory structures are unavailable.

Key Features

  • Signature-based Filtering: Investigators can leverage signature-based filtering to validate Authenticode signatures and separate actual malicious persistence from default operating system noise.
  • Customizable Detection Profiles: Cybersecurity professionals can deploy YAML-based detection profiles to customize allow and block rules either globally or per individual check.
  • High Severity Categorization: This system prioritizes block rules, automatically categorizing matches as high severity while filtering out known-good entities like Microsoft-signed binaries.

Enhanced Incident Response

Maurice Fielenbach notes that each finding is automatically enriched with file existence checks, SHA-256 hashes, and known LOLBin classifications to streamline the incident response process. Hexastrike aligned the tool’s unique persistence checks directly with nine distinct MITRE ATT&CK techniques to ensure standardized threat reporting. PyrsistenceSniper covers 117 checks spanning the most commonly abused Windows persistence vectors.

Exporting Findings

Forensic investigators can export PyrsistenceSniper findings into various formats, including console, CSV, HTML, and XLSX, to integrate seamlessly with existing analysis workflows. Recent updates introduced interactive HTML reports that allow defenders to dynamically filter and sort severity ratings.

Installation

Security engineers can install PyrsistenceSniper directly from the Python Package Index using standard package managers or by compiling it from the official source code. The development team also provides an official Docker container, which allows analysts to scan triage collections without configuring local Python environments or system dependencies.

For more details, check out the full article: Read full article

CYBERSECURITY
PYRSISTENCESNIPER MALWARE CYBERSECURITY FORENSICS
This post is licensed under CC BY 4.0 by the author.