PyrsistenceSniper – Tool that Detects 117 Persistence Malware

PyrsistenceSniper, an advanced new tool, empowers cybersecurity analysts to detect offline persistence across Windows, Linux, and macOS. It identifies 117 distinct persistence mechanisms.

Originally inspired by Autoruns and PersistenceSniper, this Python-based solution developed by Hexastrike enables rapid triage of forensic collections without requiring live system access.

According to the Hexastrike GitHub repository, PyrsistenceSniper runs directly against mounted disk images, Velociraptor collections, and KAPE dumps. The tool utilizes the libregf library to parse registry hives natively, allowing it to complete comprehensive scans of heavily used systems in under thirty seconds.

Analysts from Hexastrike explain that investigators can leverage signature-based filtering to validate Authenticode signatures and separate actual malicious persistence from default operating system noise.

PyrsistenceSniper Detects 117 Persistence Techniques

The command-line interface provides detailed terminal output that visually flags anomalies based on recognized MITRE ATT&CK techniques.

Security researchers report that PyrsistenceSniper supports standalone artifact scanning for isolated files like NTUSER.DAT or the SYSTEM hive, which is particularly useful when full directory structures are unavailable

Maurice Fielenbach notes that each finding is automatically enriched with file existence checks, SHA-256 hashes, and known LOLBin classifications to streamline the incident response process.

Cybersecurity professionals can deploy YAML-based detection profiles to customize allow and block rules either globally or per individual check.

Hexastrike documentation explains that this system prioritizes block rules, automatically categorizing matches as high severity while filtering out known-good entities like Microsoft-signed binaries.

Threat hunters emphasize that this targeted suppression mechanism eliminates redundant alerts, often reducing total output volume by up to ninety percent during forensic analysis.

Hexastrike aligned the tool’s unique persistence checks directly with nine distinct MITRE ATT&CK techniques to ensure standardized threat reporting.

Security teams utilize these categorizations to track mechanisms ranging from hijacked execution flows to modified authentication processes across compromised environments. The following table illustrates a cross-section of the specific persistence techniques identified by PyrsistenceSniper.

Forensic investigators can export PyrsistenceSniper findings into various formats, including console, CSV, HTML, and XLSX, to integrate seamlessly with existing analysis workflows.

Recent updates, highlighted by Maurice Fielenbach, introduced interactive HTML reports that allow defenders to dynamically filter and sort severity ratings.

Incident response teams frequently use the CSV and XLSX outputs to stack anomalous indicators across multiple compromised systems simultaneously.

Security engineers can install PyrsistenceSniper directly from the Python Package Index using standard package managers or by compiling it from the official source code.

The development team also provides an official Docker container, which allows analysts to scan triage collections without configuring local Python environments or system dependencies. Digital forensics professionals frequently utilize this containerized approach to export full HTML reports and CSV files dynamically during active incident response engagements.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.