{"id":253946,"date":"2026-05-24T00:50:00","date_gmt":"2026-05-24T04:50:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/24\/tool-that-detects-117-persistence-malware-techniques-on-windows-linux-and-macos\/"},"modified":"2026-05-24T06:25:08","modified_gmt":"2026-05-24T10:25:08","slug":"tool-that-detects-117-persistence-malware-techniques-on-windows-linux-and-macos","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/24\/tool-that-detects-117-persistence-malware-techniques-on-windows-linux-and-macos\/","title":{"rendered":"Tool that Detects 117 persistence malware techniques on Windows, Linux, and macOS"},"content":{"rendered":"<p><a href=\"https:\/\/cybersecuritynews.com\/pyrsistencesniper\/\">Tool that Detects 117 persistence malware techniques on Windows, Linux, and macOS<\/a><\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/pyrsistencesniper\/\">https:\/\/cybersecuritynews.com\/pyrsistencesniper\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-24 00:50:00<\/a><\/p>\n<p>Source Domain: <a href=\"cybersecuritynews.com\">cybersecuritynews.com<\/a><\/p>\n<p class=\"wp-block-paragraph\">PyrsistenceSniper is an advanced tool for detecting offline persistence, enabling cybersecurity analysts to identify 117 separate persistence mechanisms across Windows, Linux, and macOS platforms.<\/p>\n<p class=\"wp-block-paragraph\">Originally inspired by Autoruns and PersistenceSniper, this Python-based solution developed by Hexastrike enables rapid triage of forensic collections without requiring live system access.<\/p>\n<p class=\"wp-block-paragraph\">According to the Hexastrike GitHub repository, PyrsistenceSniper runs directly against mounted disk images, Velociraptor collections, and KAPE dumps. The tool utilizes the libregf library to parse registry hives natively, allowing it to complete comprehensive scans of heavily used systems in under thirty seconds.<\/p>\n<p class=\"wp-block-paragraph\">Analysts from Hexastrike explain that investigators can leverage signature-based filtering to validate Authenticode signatures and separate actual malicious persistence from default operating system noise.<\/p>\n<h2 id=\"h-pyrsistencesniper-detects-117-persistence-techniques\" class=\"wp-block-heading\"><strong>PyrsistenceSniper Detects 117 Persistence Techniques<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">The command-line interface provides detailed terminal output that visually flags anomalies based on recognized MITRE ATT&#038;CK techniques.<\/p>\n<p>pip install pyrsistencesniper\u00a0# Scan a KAPE collection\u00a0python -m pyrsistencesniper \/mnt\/case042\/C\u00a0# HTML report for client delivery\u00a0python -m pyrsistencesniper \/mnt\/case042\/C &#8211;format html &#8211;output report.html\u00a0# Filter to specific ATT&#038;CK techniques\u00a0python -m pyrsistencesniper \/mnt\/case042\/C &#8211;technique T1547 T1546<\/p>\n<p>Tool Usage<\/p>\n<p class=\"wp-block-paragraph\">Security researchers report that PyrsistenceSniper supports standalone artifact scanning for isolated files like NTUSER.DAT or the SYSTEM hive, which is particularly useful when full directory structures are unavailable.<\/p>\n<h4 class=\"wp-block-heading\"><strong>Key capabilities<\/strong><\/h4>\n<ul class=\"wp-block-list\">\n<li><strong>Signature-based filtering<\/strong>\u00a0\u2014 Authenticode validation separates legitimate OS defaults from persistence entries, including swapped binaries and DLL proxying that value-based whitelists miss.<\/li>\n<li><strong>YAML detection profiles<\/strong>\u00a0\u2014 Allow and block rules configurable globally or per-check. Adapt checks to&#8230;<\/li>\n<\/ul>\n<p><a href=\"https:\/\/cybersecuritynews.com\/pyrsistencesniper\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Tool that Detects 117 persistence malware techniques on Windows, Linux, and macOS https:\/\/cybersecuritynews.com\/pyrsistencesniper\/ Publish Date:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":253947,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/cybersecuritynews.com\/wp-content\/uploads\/2026\/05\/PyrsistenceSniper-Detects-117-Persistence-Techniques.webp","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[71,32,57],"class_list":["post-253946","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-linux","tag-malware","tag-security"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/253946"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=253946"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/253946\/revisions"}],"predecessor-version":[{"id":253948,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/253946\/revisions\/253948"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/253947"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=253946"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=253946"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=253946"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}