PyrsistenceSniper is an advanced tool for detecting offline persistence, enabling cybersecurity analysts to identify 117 separate persistence mechanisms across Windows, Linux, and macOS platforms.
Originally inspired by Autoruns and PersistenceSniper, this Python-based solution developed by Hexastrike enables rapid triage of forensic collections without requiring live system access.
According to the Hexastrike GitHub repository, PyrsistenceSniper runs directly against mounted disk images, Velociraptor collections, and KAPE dumps. The tool utilizes the libregf library to parse registry hives natively, allowing it to complete comprehensive scans of heavily used systems in under thirty seconds.
Analysts from Hexastrike explain that investigators can leverage signature-based filtering to validate Authenticode signatures and separate actual malicious persistence from default operating system noise.
PyrsistenceSniper Detects 117 Persistence Techniques
The command-line interface provides detailed terminal output that visually flags anomalies based on recognized MITRE ATT&CK techniques.
pip install pyrsistencesniper # Scan a KAPE collection python -m pyrsistencesniper /mnt/case042/C # HTML report for client delivery python -m pyrsistencesniper /mnt/case042/C --format html --output report.html # Filter to specific ATT&CK techniques python -m pyrsistencesniper /mnt/case042/C --technique T1547 T1546Security researchers report that PyrsistenceSniper supports standalone artifact scanning for isolated files like NTUSER.DAT or the SYSTEM hive, which is particularly useful when full directory structures are unavailable.
Key capabilities
- Signature-based filtering — Authenticode validation separates legitimate OS defaults from persistence entries, including swapped binaries and DLL proxying that value-based whitelists miss.
- YAML detection profiles — Allow and block rules configurable globally or per-check. Adapt checks to customer baselines without modifying the codebase.
- Finding enrichment — Every result is automatically annotated with file existence, SHA-256 hash, Authenticode signer, and LOLBin classification.
- Single-file plugin system — Adding a new persistence check requires only one file. Declarative checks need no method overrides; complex logic overrides a single
run()method.
Maurice Fielenbach notes that each finding is automatically enriched with file existence checks, SHA-256 hashes, and known LOLBin classifications to streamline the incident response process.
Cybersecurity professionals can deploy YAML-based detection profiles to customize allow and block rules either globally or per individual check.
Hexastrike documentation explains that this system prioritizes block rules, automatically categorizing matches as high severity while filtering out known-good entities like Microsoft-signed binaries.
Threat hunters emphasize that this targeted suppression mechanism eliminates redundant alerts, often reducing total output volume by up to ninety percent during forensic analysis.
Hexastrike aligned the tool’s unique persistence checks directly with nine distinct MITRE ATT&CK techniques to ensure standardized threat reporting.
PyrsistenceSniper covers 117 checks spanning the most commonly abused Windows persistence vectors:
| MITRE ID | Technique | Checks |
|---|---|---|
| T1547 | Boot/logon autostart execution | 43 |
| T1546 | Event triggered execution | 36 |
| T1574 | Hijack execution flow | 24 |
| T1137 | Office application startup | 7 |
| T1543 | Create or modify system process | 3 |
| T1053 | Scheduled task / job | 2 |
| T1556 | Modify authentication process | 2 |
Security teams utilize these categorizations to track mechanisms ranging from hijacked execution flows to modified authentication processes across compromised environments. The following table illustrates a cross-section of the specific persistence techniques identified by PyrsistenceSniper.
Forensic investigators can export PyrsistenceSniper findings into various formats, including console, CSV, HTML, and XLSX, to integrate seamlessly with existing analysis workflows.
Recent updates, highlighted by Maurice Fielenbach, introduced interactive HTML reports that allow defenders to dynamically filter and sort severity ratings.
Incident response teams frequently use the CSV and XLSX outputs to stack anomalous indicators across multiple compromised systems simultaneously.
Security engineers can install PyrsistenceSniper directly from the Python Package Index using standard package managers or by compiling it from the official source code.
The development team also provides an official Docker container, which allows analysts to scan triage collections without configuring local Python environments or system dependencies. Digital forensics professionals frequently utilize this containerized approach to export full HTML reports and CSV files dynamically during active incident response engagements.