GitHub Repo

Analytics Story: Linux Persistence Techniques

Updated Date: 2026-05-13 ID: e40d13e5-d38b-457e-af2a-e8e6a2f2b516 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Monitor for activities and techniques associated with maintaining persistence on a Linux system--a sign that an adversary may have compromised your environment.

Why it matters

Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a Linux environment.

Linux Persistence and Privilege Escalation Risk Behavior

 1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count FROM datamodel=Risk.All_Risk
 2  WHERE (
 3        All_Risk.analyticstories IN ("Linux Privilege Escalation", "Linux Persistence Techniques")
 4        OR
 5        source = "*Linux*"
 6    )
 7    All_Risk.annotations.mitre_attack.mitre_tactic IN ("persistence", "privilege-escalation") All_Risk.risk_object_type="system"
 8  BY All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic
 9| `drop_dm_object_name(All_Risk)`
10| `security_content_ctime(firstTime)`
11| `security_content_ctime(lastTime)`
12| where source_count >= 4
13| `linux_persistence_and_privilege_escalation_risk_behavior_filter`

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Linux Preload Hijack Library Calls Dynamic Linker Hijacking TTP
Linux Possible Append Cronjob Entry on Existing Cronjob File Cron Hunting
Linux Common Process For Elevation Control Setuid and Setgid Hunting
Linux Auditd System Network Configuration Discovery System Network Configuration Discovery Anomaly
Linux Auditd Add User Account Local Account Anomaly
Linux Auditd Setuid Using Setcap Utility Setuid and Setgid TTP
Linux Auditd Disable Or Modify System Firewall Disable or Modify System Firewall Anomaly
Linux Possible Ssh Key File Creation SSH Authorized Keys Anomaly
Linux Service File Created In Systemd Directory Systemd Timers Anomaly
Windows SoftEther VPN Masquerading as Legitimate Binary Masquerading, Protocol Tunneling TTP
Linux Edit Cron Table Parameter Cron Hunting
Linux Auditd Possible Access To Sudoers File Sudo and Sudo Caching Anomaly
Linux Doas Conf File Creation Sudo and Sudo Caching Anomaly
Linux Install Kernel Module Using Modprobe Utility Kernel Modules and Extensions Anomaly
Linux Auditd Auditd Service Stop Service Stop Anomaly
Linux Auditd Setuid Using Chmod Utility Setuid and Setgid Anomaly
Linux Service Restarted Systemd Timers Anomaly
Linux Auditd Virtual Disk File And Directory Discovery File and Directory Discovery Anomaly
Linux Auditd Kernel Module Using Rmmod Utility Kernel Modules and Extensions TTP
Linux Auditd Doas Conf File Creation Sudo and Sudo Caching TTP
Linux Possible Append Command To At Allow Config File At Anomaly
Linux Auditd Osquery Service Stop Service Stop Anomaly
Linux Auditd Change File Owner To Root Linux and Mac Permissions Anomaly
Linux Setuid Using Setcap Utility Setuid and Setgid Anomaly
Linux Possible Access Or Modification Of sshd Config File SSH Authorized Keys Anomaly
Linux At Application Execution At Anomaly
Linux Auditd Add User Account Type Local Account Anomaly
Linux Auditd Install Kernel Module Using Modprobe Utility Kernel Modules and Extensions Anomaly
Linux Possible Cronjob Modification With Editor Cron Hunting
Linux Auditd Service Restarted Systemd Timers Anomaly
Linux Doas Tool Execution Sudo and Sudo Caching Anomaly
Linux Adding Crontab Using List Parameter Cron Hunting
Linux Auditd Possible Access To Credential Files /etc/passwd and /etc/shadow Anomaly
Linux File Creation In Profile Directory Unix Shell Configuration Modification Anomaly
Linux File Creation In Init Boot Directory RC Scripts Anomaly
Linux Change File Owner To Root Linux and Mac Permissions Anomaly
Linux Auditd Unix Shell Configuration Modification Unix Shell Configuration Modification TTP
Linux Auditd Data Transfer Size Limits Via Split Syscall Data Transfer Size Limits Anomaly
Linux Auditd Hidden Files And Directories Creation File and Directory Discovery Anomaly
Linux Visudo Utility Execution Sudo and Sudo Caching Anomaly
Linux Sudo OR Su Execution Sudo and Sudo Caching Hunting
Linux Auditd Service Started Service Execution Anomaly
Linux Possible Access To Credential Files /etc/passwd and /etc/shadow Anomaly
Linux At Allow Config File Creation Cron Anomaly
Linux File Created In Kernel Driver Directory Kernel Modules and Extensions Anomaly
Linux Auditd Shred Overwrite Command Data Destruction TTP
Linux Possible Access To Sudoers File Sudo and Sudo Caching Anomaly
Linux Auditd Insert Kernel Module Using Insmod Utility Kernel Modules and Extensions Anomaly
Linux Auditd Preload Hijack Via Preload File Dynamic Linker Hijacking TTP
Linux Auditd Doas Tool Execution Sudo and Sudo Caching Anomaly
Linux Service Started Or Enabled Systemd Timers Anomaly
Linux Auditd At Application Execution At Anomaly
Linux Auditd File Permission Modification Via Chmod Linux and Mac Permissions Anomaly
Linux Auditd Find Credentials From Password Managers Password Managers TTP
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File Cron Hunting
Linux Sudoers Tmp File Creation Sudo and Sudo Caching Anomaly
Linux Auditd Find Credentials From Password Stores Password Managers TTP
Linux Add User Account Local Account Hunting
Linux Auditd Database File And Directory Discovery File and Directory Discovery Anomaly
Linux Auditd Possible Access Or Modification Of Sshd Config File SSH Authorized Keys Anomaly
Linux Auditd Preload Hijack Library Calls Dynamic Linker Hijacking TTP
Linux Auditd File Permissions Modification Via Chattr Linux and Mac Permissions Anomaly
Linux Setuid Using Chmod Utility Setuid and Setgid Anomaly
Linux Insert Kernel Module Using Insmod Utility Kernel Modules and Extensions Anomaly
Linux Auditd Base64 Decode Files Deobfuscate/Decode Files or Information Anomaly
Linux Auditd Unload Module Via Modprobe Kernel Modules and Extensions TTP
Linux Auditd Sudo Or Su Execution Sudo and Sudo Caching Anomaly
Linux Auditd Whoami User Discovery System Owner/User Discovery Anomaly
Linux Auditd Sysmon Service Stop Service Stop Anomaly
Linux Shred Overwrite Command Data Destruction TTP
Linux Auditd Nopasswd Entry In Sudoers File Sudo and Sudo Caching Anomaly
Linux Auditd Data Transfer Size Limits Via Split Data Transfer Size Limits Anomaly
Linux NOPASSWD Entry In Sudoers File Sudo and Sudo Caching Anomaly
Linux Auditd Private Keys and Certificate Enumeration Private Keys Anomaly
Linux Auditd File And Directory Discovery File and Directory Discovery Anomaly
Linux Possible Append Command To Profile Config File Unix Shell Configuration Modification Anomaly
Linux Add Files In Known Crontab Directories Cron Anomaly
Linux Auditd Edit Cron Table Parameter Cron Anomaly
Linux Auditd Find Ssh Private Keys Private Keys Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Linux Auditd Syscall Linux icon Linux auditd auditd
Linux Auditd Proctitle Linux icon Linux auditd auditd
Linux Auditd Execve Linux icon Linux auditd auditd
Linux Auditd Service Stop Linux icon Linux auditd auditd
Sysmon for Linux EventID 11 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Linux Auditd Path Linux icon Linux auditd auditd
Linux Auditd Cwd Linux icon Linux auditd auditd
Linux Auditd Add User Linux icon Linux auditd auditd
Cisco Isovalent Process Exec Other cisco:isovalent:processExec not_applicable

References

Source: GitHub | Version: 2