explaingit

raj3shp/persisthunt

Analysis updated 2026-06-24

12ShellAudience · ops devopsComplexity · 2/5Setup · easy

TLDR

Single bash script that scans a Linux host for common attacker persistence tricks (cron, systemd, rc.local, bind and reverse shells, BPFdoor markers) and tags each finding by confidence.

Mindmap

mindmap
  root((persisthunt))
    Inputs
      Linux host
      sudo access
    Outputs
      Tagged findings log
      High Low Informational sections
    Use Cases
      Incident response triage
      Routine host hygiene check
      Post-breach persistence sweep
      Feed to an LLM for summary
    Tech Stack
      Bash
      Linux
      systemd
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Sweep a suspected Linux box for cron, systemd, and rc.local persistence in one command

USE CASE 2

Run the script over SSH and save the output to a log for analyst review

USE CASE 3

Pipe the long output into an LLM to summarize the high-confidence findings

USE CASE 4

Fork the script and add your own keywords or detection rules

What is it built with?

BashLinux

How does it compare?

raj3shp/persisthuntabiodundotdo/termframesuyuan2022/ai-dev-pipeline
Stars121212
LanguageShellShellShell
Setup difficultyeasyeasymoderate
Complexity2/52/53/5
Audienceops devopsdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

You need root or sudo on the target Linux host for many checks to return useful results.

In plain English

persisthunt is a single bash script for defenders, system administrators, and incident responders who need to quickly check a Linux machine for signs of a hidden intruder. The README explains that attackers who manage to break into a Linux box usually want to stay there even after a reboot, and they do that by hiding small launch hooks in places like cron jobs, systemd services, shell profiles, or boot scripts. The script walks through all those places in one pass and prints what it finds. The usage is simple. The user runs sudo persisthunt.sh > output.log on the suspected host, or pipes the script over SSH if the host cannot be touched directly. Each finding is tagged with a confidence label of High, Low, or Informational, so the analyst can scan straight for the loudest hits first. The author notes that the output can be long and is well suited to being summarized by a language model or AI agent after the fact. The High confidence checks cover the techniques most often used by real Linux malware. They include unusual at jobs, cron entries that mention curl, wget, netcat, or paths like /tmp and /dev/shm, active bind shells where an interpreter is listening on a network port, active reverse shells where a process has its stdin and stdout redirected to a socket, eBPF programs with raw network sockets (a sign of the BPFdoor rootkit family), suspicious systemd service or timer files, edited rc.local and profile files, hidden ELF binaries in /tmp and /home, world writable SUID or SGID binaries, processes hidden from ps, bind mount tricks over /proc, and a populated /etc/ld.so.preload. The Low confidence checks look at softer signals such as files with POSIX capabilities, recently created executables, git hooks, APT hooks, Yum or DNF plugins, Python .pth files, udev rules with RUN keys, PAM modules calling pam_exec, and recent edits to system binaries in /bin or /usr/bin. The Informational section is for manual review and dumps cron files, shell profiles, SSH authorized_keys, local users, mounts, running services, network connections, and container state. The author also describes the script as a flexible starting point that teams can edit with their own keywords and rules.

Copy-paste prompts

Prompt 1
Run persisthunt.sh with sudo on a suspect Ubuntu host and explain each high-confidence finding it returns
Prompt 2
Add a new detection rule to persisthunt.sh that flags suspicious entries in /etc/systemd/system overrides
Prompt 3
Pipe persisthunt.sh over SSH to a remote host without copying it to disk and save the output locally
Prompt 4
Summarize a persisthunt output log and rank the findings by likelihood of real compromise

Frequently asked questions

What is persisthunt?

Single bash script that scans a Linux host for common attacker persistence tricks (cron, systemd, rc.local, bind and reverse shells, BPFdoor markers) and tags each finding by confidence.

What language is persisthunt written in?

Mainly Shell. The stack also includes Bash, Linux.

How hard is persisthunt to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is persisthunt for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.