PyrsistenceSniper – Tool that Detects 117 Persistence Malware Techniques on Windows, Linux, and macOS

HomeCyber Security News PyrsistenceSniper – Tool that Detects 117 Persistence Malware Techniques on Windows, Linux, and macOS By Guru Baran May 24, 2026 PyrsistenceSniper is an advanced tool for detecting offline persistence, enabling cybersecurity analysts to identify 117 separate persistence mechanisms across Windows, Linux, and macOS platforms. Originally inspired by Autoruns and PersistenceSniper, this Python-based solution developed by Hexastrike enables rapid triage of forensic collections without requiring live system access. According to the Hexastrike GitHub repository, PyrsistenceSniper runs directly against mounted disk images, Velociraptor collections, and KAPE dumps. The tool utilizes the libregf library to parse registry hives natively, allowing it to complete comprehensive scans of heavily used systems in under thirty seconds. Analysts from Hexastrike explain that investigators can leverage signature-based filtering to validate Authenticode signatures and separate actual malicious persistence from default operating system noise. PyrsistenceSniper Detects 117 Persistence Techniques The command-line interface provides detailed terminal output that visually flags anomalies based on recognized MITRE ATT&CK techniques. Tool Usage Security researchers report that PyrsistenceSniper supports standalone artifact scanning for isolated files like NTUSER.DAT or the SYSTEM hive, which is particularly useful when full directory structures are unavailable Maurice Fielenbach notes that each finding is automatically enriched with file existence checks, SHA-256 hashes, and known LOLBin classifications to streamline the incident response process. Cybersecurity professionals can deploy YAML-based detection profiles to customize allow and block rules either globally or per individual check. Hexastrike documentation explains that this system prioritizes block rules, automatically categorizing matches as high severity while filtering out known-good entities like Microsoft-signed binaries. Threat hunters emphasize that this targeted suppression mechanism eliminates redundant alerts, often reducing total output volume by up to ninety percent during forensic analysis. Hexastrike aligned the tool’s unique persistence checks directly with nine distinct MITRE ATT&CK techniques to ensure standardized threat reporting. Security teams utilize these categorizations to track mechanisms ranging from hijacked execution flows to modified authentication processes across compromised environments. The following table illustrates a cross-section of the specific persistence techniques identified by PyrsistenceSniper. MITRE Technique ID Technique Category Notable Checks T1037 Boot and Logon Initialization Group Policy scripts, Logon scripts T1053 Scheduled Task/Job Ghost tasks, Scheduled task files T1543 System Process Modification Service failure commands, Windows service DLLs T1546 Event Triggered Execution WMI event subscriptions, Accessibility tools T1547 Boot/Logon Autostart Run keys, Startup folders, Print monitors Forensic investigators can export PyrsistenceSniper findings into various formats, including console, CSV, HTML, and XLSX, to integrate seamlessly with existing analysis workflows. Recent updates, highlighted by Maurice Fielenbach, introduced interactive HTML reports that allow defenders to dynamically filter and sort severity ratings. Incident response teams frequently use the CSV and XLSX outputs to stack anomalous indicators across multiple compromised systems simultaneously. Security engineers can install PyrsistenceSniper directly from the Python Package Index using standard package managers or by compiling it from the official source code. The development team also provides an official Docker container, which allows analysts to scan triage collections without configuring local Python environments or system dependencies. Digital forensics professionals frequently utilize this containerized approach to export full HTML reports and CSV files dynamically during active incident response engagements. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Four Malicious npm Packages Steal SSH Keys, Cloud Credentials, and Crypto Wallets Android Malware Silently Subscribes Victims to Premium Services Without Consent Critical Apache Flink Vulnerability Enables Remote code execution Attacks GraphWorm Malware Uses Microsoft OneDrive as Command-and-Control Infrastructure 3 Tactics Elite SOCs Use to Operationalize Threat Intelligence Latest News Cyber Attack News Hackers Exploit F5 BIG-IP Appliance to Gain SSH Access and Pivot Into Enterprise Linux Networks Cyber Security Hackers Compromised 233 Versions of Laravel-Lang Packages by Hacking 700 GitHub Repos Cyber Security News Anthropic’s Claude Mythos Preview Uncovers 10,000+ 0-Days in Project Glasswing Cyber Security News Hackers Abuse Middle East Telecom Networks for Large-Scale Command-and-Control Operations Cyber Security News World Cup Phishing Campaign Nearly Triples With 203 Unique IP Addresses