explaingit

raj3shp/persisthunt

13ShellAudience · ops devopsComplexity · 2/5ActiveSetup · easy

TLDR

Single bash script that scans a Linux host for common attacker persistence tricks (cron, systemd, rc.local, bind and reverse shells, BPFdoor markers) and tags each finding by confidence.

Mindmap

mindmap
  root((persisthunt))
    Inputs
      Linux host
      sudo access
    Outputs
      Tagged findings log
      High Low Informational sections
    Use Cases
      Incident response triage
      Routine host hygiene check
      Post-breach persistence sweep
      Feed to an LLM for summary
    Tech Stack
      Bash
      Linux
      systemd

Things people build with this

USE CASE 1

Sweep a suspected Linux box for cron, systemd, and rc.local persistence in one command

USE CASE 2

Run the script over SSH and save the output to a log for analyst review

USE CASE 3

Pipe the long output into an LLM to summarize the high-confidence findings

USE CASE 4

Fork the script and add your own keywords or detection rules

Tech stack

BashLinux

Getting it running

Difficulty · easy Time to first run · 5min

You need root or sudo on the target Linux host for many checks to return useful results.

In plain English

persisthunt is a single bash script for defenders, system administrators, and incident responders who need to quickly check a Linux machine for signs of a hidden intruder. The README explains that attackers who manage to break into a Linux box usually want to stay there even after a reboot, and they do that by hiding small launch hooks in places like cron jobs, systemd services, shell profiles, or boot scripts. The script walks through all those places in one pass and prints what it finds. The usage is simple. The user runs sudo persisthunt.sh > output.log on the suspected host, or pipes the script over SSH if the host cannot be touched directly. Each finding is tagged with a confidence label of High, Low, or Informational, so the analyst can scan straight for the loudest hits first. The author notes that the output can be long and is well suited to being summarized by a language model or AI agent after the fact. The High confidence checks cover the techniques most often used by real Linux malware. They include unusual at jobs, cron entries that mention curl, wget, netcat, or paths like /tmp and /dev/shm, active bind shells where an interpreter is listening on a network port, active reverse shells where a process has its stdin and stdout redirected to a socket, eBPF programs with raw network sockets (a sign of the BPFdoor rootkit family), suspicious systemd service or timer files, edited rc.local and profile files, hidden ELF binaries in /tmp and /home, world writable SUID or SGID binaries, processes hidden from ps, bind mount tricks over /proc, and a populated /etc/ld.so.preload. The Low confidence checks look at softer signals such as files with POSIX capabilities, recently created executables, git hooks, APT hooks, Yum or DNF plugins, Python .pth files, udev rules with RUN keys, PAM modules calling pam_exec, and recent edits to system binaries in /bin or /usr/bin. The Informational section is for manual review and dumps cron files, shell profiles, SSH authorized_keys, local users, mounts, running services, network connections, and container state. The author also describes the script as a flexible starting point that teams can edit with their own keywords and rules.

Copy-paste prompts

Prompt 1
Run persisthunt.sh with sudo on a suspect Ubuntu host and explain each high-confidence finding it returns
Prompt 2
Add a new detection rule to persisthunt.sh that flags suspicious entries in /etc/systemd/system overrides
Prompt 3
Pipe persisthunt.sh over SSH to a remote host without copying it to disk and save the output locally
Prompt 4
Summarize a persisthunt output log and rank the findings by likelihood of real compromise
Open on GitHub → Explain another repo

Generated 2026-05-22 · Model: sonnet-4-6 · Verify against the repo before relying on details.