PyrsistenceSniper, a new open-source Python-based tool from Hexastrike, enables forensic analysts to detect 117 distinct persistence mechanisms across Windows, Linux, and macOS platforms by scanning offline disk images and forensic collections rather than requiring live system access.
Offline Analysis for Rapid Triage
Inspired by Autoruns and PersistenceSniper, PyrsistenceSniper runs directly against mounted disk images, Velociraptor collections, and KAPE dumps. The tool leverages the libregf library to parse registry hives natively, completing comprehensive scans of heavily used systems in under 30 seconds.
Analysts can perform standalone artifact scanning on isolated files such as NTUSER.DAT or the SYSTEM hive, making the tool particularly useful when full directory structures are unavailable. Each finding is automatically enriched with file existence checks, SHA-256 hashes, and known LOLBin classifications to streamline incident response workflows.
Signature-Based Filtering and Custom Detection Profiles
PyrsistenceSniper employs signature-based filtering to validate Authenticode signatures, helping investigators separate actual malicious persistence from default operating system noise. The command-line interface visually flags anomalies based on recognized MITRE ATT&CK techniques.
Security professionals can deploy YAML-based detection profiles to customize allow and block rules globally or per individual check. The system prioritizes block rules, automatically categorizing matches as high severity while filtering out known-good entities like Microsoft-signed binaries. This targeted suppression mechanism can reduce total output volume by up to 90 percent during forensic analysis.
Cross-Platform Coverage and Reporting
Hexastrike aligned the tool’s persistence checks with nine distinct MITRE ATT&CK techniques, covering categories including boot and logon initialization (T1037), scheduled tasks (T1053), system process modification (T1543), event-triggered execution (T1546), and boot/logon autostart (T1547). These categorizations enable security teams to track mechanisms ranging from hijacked execution flows to modified authentication processes.
Forensic investigators can export findings in console, CSV, HTML, and XLSX formats for seamless integration with existing analysis workflows. Recent updates introduced interactive HTML reports that allow defenders to dynamically filter and sort severity ratings, while CSV and XLSX outputs enable stacking anomalous indicators across multiple compromised systems simultaneously.
Deployment and Operational Flexibility
Security engineers can install PyrsistenceSniper directly from the Python Package Index using standard package managers or compile it from source. The development team also provides an official Docker container, allowing analysts to scan triage collections without configuring local Python environments — a capability frequently leveraged during active incident response engagements to export full HTML reports and CSV files dynamically.
For enterprise security teams conducting forensic investigations across heterogeneous environments, PyrsistenceSniper represents a significant step toward standardizing persistence detection without the operational overhead of live system analysis. As adversaries continue to refine their foothold strategies, tools that can rapidly triage offline artifacts at scale will become increasingly critical to incident response maturity.
— Originally reported by Cyber Security News. Adapted and republished with editorial context for MacThreat.
![PSA: A security breach means you must update the ChatGPT Mac app [U]](https://macthreat.com/wp-content/uploads/2026/06/psa-a-security-breach-means-you-must-update-the-chatgpt-mac-1780416310-330x220.jpg)
