InfoSecBulletin Cybersecurity for mankind
PyrsistenceSniper is a smart tool that finds offline persistence. It helps cybersecurity experts spot 117 different ways to maintain persistence on Windows, Linux, and macOS.
PyrsistenceSniper works with mounted disk images, Velociraptor collections, and KAPE dumps, based on the Hexastrike GitHub page. It uses the libregf library to read registry hives directly, which helps it scan busy systems in less than thirty seconds.
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
PyrsistenceSniper Detects 117 Persistence Techniques
The command-line tool shows clear terminal output that highlights unusual activities based on known MITRE ATT&CK methods.
pip install pyrsistencesniper # Scan a KAPE collection python -m pyrsistencesniper /mnt/case042/C # HTML report for client delivery python -m pyrsistencesniper /mnt/case042/C –format html –output report.html # Filter to specific ATT&CK techniques python -m pyrsistencesniper /mnt/case042/C –technique T1547 T1546
Security researchers say that PyrsistenceSniper can scan single files, like NTUSER.DAT or the SYSTEM hive. This is helpful when full folder structures are not there.
Networksecurity solutionsKey capabilities
Signature-based filtering: Authenticode validation separates legitimate OS defaults from persistence entries, including swapped binaries and DLL proxying that value-based whitelists miss.
YAML detection profiles: Allow and block rules configurable globally or per-check. Adapt checks to customer baselines without modifying the codebase.
Finding enrichment: Every result is automatically annotated with file existence, SHA-256 hash, Authenticode signer, and LOLBin classification.
Single-file plugin system: Adding a new persistence check requires only one file. Declarative checks need no method overrides; complex logic overrides a single run() method.
Maurice Fielenbach says that every discovery includes file checks, SHA-256 hashes, and recognized LOLBin types to make the response to incidents easier.
Cybersecurity experts can use YAML files to set up custom rules to allow or block actions for everyone or for specific checks. Hexastrike documentation says this system focuses on block rules. It automatically marks matches as high severity and removes trusted items like Microsoft-signed files.
Threat hunters say this system cuts down on extra alerts. It can lower total alerts by as much as ninety percent when analyzing data. Threat detection software Hexastrike linked its special checks for staying hidden with nine specific MITRE ATT&CK methods to make sure threat reports are clear.
PyrsistenceSniper covers 117 checks spanning the most commonly abused Windows persistence vectors:
| MITRE ID | Technique | Checks |
|---|---|---|
| T1547 | Boot/logon autostart execution | 43 |
| T1546 | Event triggered execution | 36 |
| T1574 | Hijack execution flow | 24 |
| T1137 | Office application startup | 7 |
| T1543 | Create or modify system process | 3 |
| T1053 | Scheduled task / job | 2 |
| T1556 | Modify authentication process | 2 |
Security teams use these categories to monitor methods from stolen execution paths to changed login processes in hacked systems. The table below shows some specific persistence techniques found by PyrsistenceSniper.
Forensic investigators can save PyrsistenceSniper results in different formats. These formats include console, CSV, HTML, and XLSX. This helps them fit well with their current analysis work.
Recent updates, highlighted by Maurice Fielenbach, introduced interactive HTML reports that allow defenders to dynamically filter and sort severity ratings.
PromptSpy: First Android AI Malware Uses Google’s Gemini for Decisions
