erosolar-cli 1.7.339 → 1.7.340

package/dist/security/persistence-cli.js

@@ -0,0 +1,160 @@
+#!/usr/bin/env node
+/**
+ * Persistence Research CLI
+ *
+ * Command-line interface for security research on persistence mechanisms
+ * across Windows, Linux, and cross-platform environments.
+ */
+import { PersistenceAnalyzer } from './persistence-analyzer.js';
+class PersistenceCLI {
+    analyzer;
+    constructor() {
+        this.analyzer = new PersistenceAnalyzer();
+    }
+    /**
+     * Parse command line arguments
+     */
+    parseArguments(args) {
+        const parsed = {};
+        for (let i = 0; i < args.length; i++) {
+            const arg = args[i];
+            switch (arg) {
+                case '--platform':
+                case '-p':
+                    parsed.platform = args[++i];
+                    break;
+                case '--output':
+                case '-o':
+                    parsed.output = args[++i];
+                    break;
+                case '--include-remediation':
+                case '-r':
+                    parsed.includeRemediation = true;
+                    break;
+                case '--risk-threshold':
+                case '-t':
+                    parsed.riskThreshold = args[++i];
+                    break;
+                case '--generate-rules':
+                case '-g':
+                    const rules = args[++i]?.split(',');
+                    if (rules) {
+                        parsed.generateRules = rules;
+                    }
+                    break;
+                case '--test-cases':
+                    parsed.testCases = true;
+                    break;
+                case '--simulate-detection':
+                    parsed.simulateDetection = true;
+                    break;
+                case '--assessment':
+                    parsed.assessment = true;
+                    break;
+                case '--help':
+                case '-h':
+                    parsed.help = true;
+                    break;
+            }
+        }
+        return parsed;
+    }
+    /**
+     * Display help information
+     */
+    showHelp() {
+        console.log(`
+Persistence Research CLI
+
+Usage:
+  node persistence-cli.js [options]
+
+Options:
+  --platform, -p <platform>    Target platform (windows, linux, cross-platform)
+  --output, -o <format>        Output format (text, json, csv) [default: text]
+  --include-remediation, -r    Include remediation steps in output
+  --risk-threshold, -t <level> Filter by risk level (low, medium, high, critical) [default: medium]
+  --generate-rules, -g <ids>   Generate detection rules for specific techniques (comma-separated)
+  --test-cases                 Generate test cases for security validation
+  --simulate-detection         Simulate detection of persistence techniques
+  --assessment                 Generate comprehensive security assessment report
+  --help, -h                  Show this help message
+
+Examples:
+  # Analyze Windows persistence techniques
+  node persistence-cli.js --platform windows
+
+  # Generate JSON output with remediation steps
+  node persistence-cli.js --platform linux --output json --include-remediation
+
+  # Generate detection rules for specific techniques
+  node persistence-cli.js --generate-rules win-registry-run,linux-cron
+
+  # Generate security assessment report
+  node persistence-cli.js --platform windows --assessment
+
+  # Generate test cases for Linux
+  node persistence-cli.js --platform linux --test-cases
+    `);
+    }
+    /**
+     * Execute the CLI with provided arguments
+     */
+    async execute(args) {
+        const parsedArgs = this.parseArguments(args);
+        if (parsedArgs.help || args.length === 0) {
+            this.showHelp();
+            return;
+        }
+        try {
+            if (parsedArgs.generateRules) {
+                const rules = this.analyzer.generateDetectionRules(parsedArgs.generateRules);
+                console.log(rules);
+                return;
+            }
+            if (parsedArgs.testCases && parsedArgs.platform) {
+                const testCases = this.analyzer.generateTestCases(parsedArgs.platform);
+                console.log(testCases);
+                return;
+            }
+            if (parsedArgs.simulateDetection && parsedArgs.platform) {
+                const detected = this.analyzer.simulateDetection(parsedArgs.platform);
+                console.log('Simulated Detection Results:');
+                console.log(JSON.stringify(detected, null, 2));
+                return;
+            }
+            if (parsedArgs.assessment && parsedArgs.platform) {
+                const report = this.analyzer.generateAssessmentReport(parsedArgs.platform);
+                console.log(report);
+                return;
+            }
+            if (parsedArgs.platform) {
+                const options = {
+                    platform: parsedArgs.platform,
+                    outputFormat: parsedArgs.output || 'text',
+                    includeRemediation: parsedArgs.includeRemediation || false,
+                    riskThreshold: parsedArgs.riskThreshold || 'medium'
+                };
+                const analysis = this.analyzer.analyzePlatform(options);
+                console.log(analysis);
+                return;
+            }
+            console.error('Error: Platform argument required for analysis');
+            this.showHelp();
+        }
+        catch (error) {
+            console.error('Error executing persistence analysis:', error);
+            process.exit(1);
+        }
+    }
+}
+// CLI entry point
+if (import.meta.url === `file://${process.argv[1]}`) {
+    const cli = new PersistenceCLI();
+    cli.execute(process.argv.slice(2)).catch(error => {
+        console.error('Fatal error:', error);
+        process.exit(1);
+    });
+}
+export { PersistenceCLI };
+//# sourceMappingURL=persistence-cli.js.map

package/dist/security/persistence-cli.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"persistence-cli.js","sourceRoot":"","sources":["../../src/security/persistence-cli.ts"],"names":[],"mappings":";AAEA;;;;;GAKG;AAEH,OAAO,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAchE,MAAM,cAAc;IACV,QAAQ,CAAsB;IAEtC;QACE,IAAI,CAAC,QAAQ,GAAG,IAAI,mBAAmB,EAAE,CAAC;IAC5C,CAAC;IAED;;OAEG;IACH,cAAc,CAAC,IAAc;QAC3B,MAAM,MAAM,GAAiB,EAAE,CAAC;QAEhC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACrC,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;YAEpB,QAAQ,GAAG,EAAE,CAAC;gBACZ,KAAK,YAAY,CAAC;gBAClB,KAAK,IAAI;oBACP,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;oBAC5B,MAAM;gBACR,KAAK,UAAU,CAAC;gBAChB,KAAK,IAAI;oBACP,MAAM,CAAC,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC,CAA4B,CAAC;oBACrD,MAAM;gBACR,KAAK,uBAAuB,CAAC;gBAC7B,KAAK,IAAI;oBACP,MAAM,CAAC,kBAAkB,GAAG,IAAI,CAAC;oBACjC,MAAM;gBACR,KAAK,kBAAkB,CAAC;gBACxB,KAAK,IAAI;oBACP,MAAM,CAAC,aAAa,GAAG,IAAI,CAAC,EAAE,CAAC,CAA2C,CAAC;oBAC3E,MAAM;gBACR,KAAK,kBAAkB,CAAC;gBACxB,KAAK,IAAI;oBACP,MAAM,KAAK,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC;oBACpC,IAAI,KAAK,EAAE,CAAC;wBACV,MAAM,CAAC,aAAa,GAAG,KAAK,CAAC;oBAC/B,CAAC;oBACD,MAAM;gBACR,KAAK,cAAc;oBACjB,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC;oBACxB,MAAM;gBACR,KAAK,sBAAsB;oBACzB,MAAM,CAAC,iBAAiB,GAAG,IAAI,CAAC;oBAChC,MAAM;gBACR,KAAK,cAAc;oBACjB,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC;oBACzB,MAAM;gBACR,KAAK,QAAQ,CAAC;gBACd,KAAK,IAAI;oBACP,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC;oBACnB,MAAM;YACV,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,QAAQ;QACN,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;KAgCX,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,OAAO,CAAC,IAAc;QAC1B,MAAM,UAAU,GAAG,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;QAE7C,IAAI,UAAU,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzC,IAAI,CAAC,QAAQ,EAAE,CAAC;YAChB,OAAO;QACT,CAAC;QAED,IAAI,CAAC;YACH,IAAI,UAAU,CAAC,aAAa,EAAE,CAAC;gBAC7B,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,sBAAsB,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;gBAC7E,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;gBACnB,OAAO;YACT,CAAC;YAED,IAAI,UAAU,CAAC,SAAS,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC;gBAChD,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,iBAAiB,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;gBACvE,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;gBACvB,OAAO;YACT,CAAC;YAED,IAAI,UAAU,CAAC,iBAAiB,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC;gBACxD,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,iBAAiB,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;gBACtE,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;gBAC5C,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;gBAC/C,OAAO;YACT,CAAC;YAED,IAAI,UAAU,CAAC,UAAU,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC;gBACjD,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,wBAAwB,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;gBAC3E,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gBACpB,OAAO;YACT,CAAC;YAED,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC;gBACxB,MAAM,OAAO,GAAG;oBACd,QAAQ,EAAE,UAAU,CAAC,QAAQ;oBAC7B,YAAY,EAAE,UAAU,CAAC,MAAM,IAAI,MAAM;oBACzC,kBAAkB,EAAE,UAAU,CAAC,kBAAkB,IAAI,KAAK;oBAC1D,aAAa,EAAE,UAAU,CAAC,aAAa,IAAI,QAAQ;iBACpD,CAAC;gBAEF,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;gBACxD,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBACtB,OAAO;YACT,CAAC;YAED,OAAO,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;YAChE,IAAI,CAAC,QAAQ,EAAE,CAAC;QAElB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,uCAAuC,EAAE,KAAK,CAAC,CAAC;YAC9D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;CACF;AAED,kBAAkB;AAClB,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,UAAU,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;IACpD,MAAM,GAAG,GAAG,IAAI,cAAc,EAAE,CAAC;IACjC,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE;QAC/C,OAAO,CAAC,KAAK,CAAC,cAAc,EAAE,KAAK,CAAC,CAAC;QACrC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,OAAO,EAAE,cAAc,EAAE,CAAC"}

package/dist/security/persistence-research.d.ts

@@ -0,0 +1,92 @@
+/**
+ * Persistence Research Toolkit
+ *
+ * Comprehensive analysis of persistence mechanisms across operating systems
+ * for legitimate security research and testing purposes.
+ *
+ * This module provides tools for:
+ * - Analyzing Windows persistence techniques
+ * - Analyzing Linux persistence techniques
+ * - Detecting persistence mechanisms
+ * - Generating test cases for security validation
+ *
+ * @license MIT
+ * @author Bo Shang
+ */
+export interface PersistenceTechnique {
+    id: string;
+    name: string;
+    platform: 'windows' | 'linux' | 'macos' | 'cross-platform';
+    mitreId?: string;
+    description: string;
+    detectionMethods: string[];
+    remediationSteps: string[];
+    riskLevel: 'low' | 'medium' | 'high' | 'critical';
+}
+export interface PersistenceAnalysis {
+    systemInfo: SystemInfo;
+    detectedTechniques: DetectedTechnique[];
+    recommendations: string[];
+    riskScore: number;
+}
+export interface SystemInfo {
+    platform: string;
+    architecture: string;
+    version: string;
+    user: string;
+    privileges: string[];
+}
+export interface DetectedTechnique {
+    technique: PersistenceTechnique;
+    evidence: string;
+    confidence: 'low' | 'medium' | 'high';
+    location: string;
+}
+/**
+ * Windows Persistence Techniques Database
+ */
+export declare const WINDOWS_PERSISTENCE_TECHNIQUES: PersistenceTechnique[];
+/**
+ * Linux Persistence Techniques Database
+ */
+export declare const LINUX_PERSISTENCE_TECHNIQUES: PersistenceTechnique[];
+/**
+ * Cross-platform Persistence Techniques
+ */
+export declare const CROSS_PLATFORM_PERSISTENCE_TECHNIQUES: PersistenceTechnique[];
+/**
+ * Persistence Research Toolkit Class
+ */
+export declare class PersistenceResearchToolkit {
+    private allTechniques;
+    constructor();
+    /**
+     * Get all persistence techniques for a specific platform
+     */
+    getTechniquesByPlatform(platform: string): PersistenceTechnique[];
+    /**
+     * Search techniques by MITRE ATT&CK ID
+     */
+    getTechniquesByMitreId(mitreId: string): PersistenceTechnique[];
+    /**
+     * Generate detection rules for a specific technique
+     */
+    generateDetectionRules(techniqueId: string): string[];
+    /**
+     * Generate Windows-specific detection rules
+     */
+    private generateWindowsDetectionRules;
+    /**
+     * Generate Linux-specific detection rules
+     */
+    private generateLinuxDetectionRules;
+    /**
+     * Generate test cases for security validation
+     */
+    generateTestCases(platform: string): string[];
+    /**
+     * Get remediation guidance for detected techniques
+     */
+    getRemediationGuidance(detectedTechniques: DetectedTechnique[]): string[];
+}
+//# sourceMappingURL=persistence-research.d.ts.map

package/dist/security/persistence-research.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"persistence-research.d.ts","sourceRoot":"","sources":["../../src/security/persistence-research.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,MAAM,WAAW,oBAAoB;IACnC,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,SAAS,GAAG,OAAO,GAAG,OAAO,GAAG,gBAAgB,CAAC;IAC3D,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,SAAS,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;CACnD;AAED,MAAM,WAAW,mBAAmB;IAClC,UAAU,EAAE,UAAU,CAAC;IACvB,kBAAkB,EAAE,iBAAiB,EAAE,CAAC;IACxC,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,EAAE,CAAC;CACtB;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,oBAAoB,CAAC;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IACtC,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,eAAO,MAAM,8BAA8B,EAAE,oBAAoB,EA2FhE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,4BAA4B,EAAE,oBAAoB,EA2F9D,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,qCAAqC,EAAE,oBAAoB,EAmCvE,CAAC;AAEF;;GAEG;AACH,qBAAa,0BAA0B;IACrC,OAAO,CAAC,aAAa,CAAyB;;IAU9C;;OAEG;IACH,uBAAuB,CAAC,QAAQ,EAAE,MAAM,GAAG,oBAAoB,EAAE;IAMjE;;OAEG;IACH,sBAAsB,CAAC,OAAO,EAAE,MAAM,GAAG,oBAAoB,EAAE;IAI/D;;OAEG;IACH,sBAAsB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,EAAE;IAuBrD;;OAEG;IACH,OAAO,CAAC,6BAA6B;IAmCrC;;OAEG;IACH,OAAO,CAAC,2BAA2B;IAmCnC;;OAEG;IACH,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,EAAE;IAe7C;;OAEG;IACH,sBAAsB,CAAC,kBAAkB,EAAE,iBAAiB,EAAE,GAAG,MAAM,EAAE;CAgB1E"}

package/dist/security/persistence-research.js

@@ -0,0 +1,364 @@
+/**
+ * Persistence Research Toolkit
+ *
+ * Comprehensive analysis of persistence mechanisms across operating systems
+ * for legitimate security research and testing purposes.
+ *
+ * This module provides tools for:
+ * - Analyzing Windows persistence techniques
+ * - Analyzing Linux persistence techniques
+ * - Detecting persistence mechanisms
+ * - Generating test cases for security validation
+ *
+ * @license MIT
+ * @author Bo Shang
+ */
+/**
+ * Windows Persistence Techniques Database
+ */
+export const WINDOWS_PERSISTENCE_TECHNIQUES = [
+    {
+        id: 'win-registry-run',
+        name: 'Registry Run Keys',
+        platform: 'windows',
+        mitreId: 'T1547.001',
+        description: 'Malware adds entries to registry run keys to execute on system startup',
+        detectionMethods: [
+            'Monitor registry changes in HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run',
+            'Monitor registry changes in HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run',
+            'Check for suspicious executable paths in run keys'
+        ],
+        remediationSteps: [
+            'Remove suspicious entries from registry run keys',
+            'Scan for associated malware',
+            'Monitor for registry modifications'
+        ],
+        riskLevel: 'high'
+    },
+    {
+        id: 'win-scheduled-tasks',
+        name: 'Scheduled Tasks',
+        platform: 'windows',
+        mitreId: 'T1053.005',
+        description: 'Creates scheduled tasks to execute malicious code at specific times or events',
+        detectionMethods: [
+            'Review scheduled tasks using schtasks command',
+            'Monitor Task Scheduler service events',
+            'Check for tasks with suspicious actions or triggers'
+        ],
+        remediationSteps: [
+            'Delete malicious scheduled tasks',
+            'Monitor Task Scheduler service',
+            'Implement application whitelisting'
+        ],
+        riskLevel: 'high'
+    },
+    {
+        id: 'win-services',
+        name: 'Windows Services',
+        platform: 'windows',
+        mitreId: 'T1543.003',
+        description: 'Creates or modifies Windows services to run malicious code',
+        detectionMethods: [
+            'Review services using sc query or Get-Service',
+            'Monitor service creation/modification events',
+            'Check for services with suspicious image paths'
+        ],
+        remediationSteps: [
+            'Stop and remove malicious services',
+            'Monitor service creation events',
+            'Implement service execution policies'
+        ],
+        riskLevel: 'critical'
+    },
+    {
+        id: 'win-dll-hijacking',
+        name: 'DLL Hijacking',
+        platform: 'windows',
+        mitreId: 'T1574.001',
+        description: 'Places malicious DLLs in application search paths to hijack legitimate processes',
+        detectionMethods: [
+            'Monitor DLL loading from unusual locations',
+            'Check for DLLs in application directories with weak permissions',
+            'Use process monitoring tools'
+        ],
+        remediationSteps: [
+            'Remove malicious DLLs',
+            'Secure application directories',
+            'Implement DLL search order hardening'
+        ],
+        riskLevel: 'medium'
+    },
+    {
+        id: 'win-wmi',
+        name: 'WMI Event Subscription',
+        platform: 'windows',
+        mitreId: 'T1546.003',
+        description: 'Uses WMI event subscriptions to trigger malicious code execution',
+        detectionMethods: [
+            'Query WMI event subscriptions',
+            'Monitor WMI event consumer creation',
+            'Check for suspicious WMI filters and consumers'
+        ],
+        remediationSteps: [
+            'Remove malicious WMI event subscriptions',
+            'Monitor WMI activity',
+            'Restrict WMI permissions'
+        ],
+        riskLevel: 'high'
+    }
+];
+/**
+ * Linux Persistence Techniques Database
+ */
+export const LINUX_PERSISTENCE_TECHNIQUES = [
+    {
+        id: 'linux-cron',
+        name: 'Cron Jobs',
+        platform: 'linux',
+        mitreId: 'T1053.003',
+        description: 'Adds malicious cron jobs to execute at scheduled intervals',
+        detectionMethods: [
+            'Review crontab files for all users',
+            'Monitor /etc/cron.* directories',
+            'Check for cron jobs with suspicious commands'
+        ],
+        remediationSteps: [
+            'Remove malicious cron entries',
+            'Monitor cron job creation',
+            'Implement cron access controls'
+        ],
+        riskLevel: 'high'
+    },
+    {
+        id: 'linux-systemd',
+        name: 'Systemd Services',
+        platform: 'linux',
+        mitreId: 'T1543.002',
+        description: 'Creates or modifies systemd services for persistence',
+        detectionMethods: [
+            'Review systemd service files in /etc/systemd/system/',
+            'Monitor service unit file creation',
+            'Check for services with suspicious ExecStart commands'
+        ],
+        remediationSteps: [
+            'Stop and remove malicious services',
+            'Monitor systemd service creation',
+            'Implement service validation'
+        ],
+        riskLevel: 'critical'
+    },
+    {
+        id: 'linux-ssh-keys',
+        name: 'SSH Authorized Keys',
+        platform: 'linux',
+        mitreId: 'T1098.004',
+        description: 'Adds backdoor SSH keys to authorized_keys files',
+        detectionMethods: [
+            'Review ~/.ssh/authorized_keys files',
+            'Monitor SSH key additions',
+            'Check for unknown public keys'
+        ],
+        remediationSteps: [
+            'Remove unauthorized SSH keys',
+            'Monitor authorized_keys modifications',
+            'Implement SSH key management'
+        ],
+        riskLevel: 'high'
+    },
+    {
+        id: 'linux-shell-config',
+        name: 'Shell Configuration Files',
+        platform: 'linux',
+        mitreId: 'T1546.004',
+        description: 'Modifies shell configuration files (.bashrc, .profile, etc.) to execute malicious code',
+        detectionMethods: [
+            'Review shell configuration files',
+            'Monitor modifications to .bashrc, .profile, etc.',
+            'Check for suspicious commands in shell startup files'
+        ],
+        remediationSteps: [
+            'Remove malicious shell configurations',
+            'Monitor shell configuration changes',
+            'Implement file integrity monitoring'
+        ],
+        riskLevel: 'medium'
+    },
+    {
+        id: 'linux-ld-so-preload',
+        name: 'LD_PRELOAD Hijacking',
+        platform: 'linux',
+        mitreId: 'T1574.006',
+        description: 'Uses LD_PRELOAD environment variable to load malicious libraries',
+        detectionMethods: [
+            'Check LD_PRELOAD environment variable',
+            'Monitor /etc/ld.so.preload file',
+            'Review shell environment variables'
+        ],
+        remediationSteps: [
+            'Remove malicious LD_PRELOAD settings',
+            'Monitor environment variable changes',
+            'Implement library validation'
+        ],
+        riskLevel: 'medium'
+    }
+];
+/**
+ * Cross-platform Persistence Techniques
+ */
+export const CROSS_PLATFORM_PERSISTENCE_TECHNIQUES = [
+    {
+        id: 'cross-browser-extensions',
+        name: 'Browser Extensions',
+        platform: 'cross-platform',
+        description: 'Installs malicious browser extensions for persistence',
+        detectionMethods: [
+            'Review installed browser extensions',
+            'Monitor extension installation events',
+            'Check for suspicious extension permissions'
+        ],
+        remediationSteps: [
+            'Remove malicious browser extensions',
+            'Monitor extension installations',
+            'Implement browser security policies'
+        ],
+        riskLevel: 'medium'
+    },
+    {
+        id: 'cross-startup-items',
+        name: 'Startup Items/Applications',
+        platform: 'cross-platform',
+        description: 'Adds items to user or system startup locations',
+        detectionMethods: [
+            'Review startup directories and registry keys',
+            'Monitor startup item creation',
+            'Check for suspicious startup applications'
+        ],
+        remediationSteps: [
+            'Remove malicious startup items',
+            'Monitor startup locations',
+            'Implement application whitelisting'
+        ],
+        riskLevel: 'high'
+    }
+];
+/**
+ * Persistence Research Toolkit Class
+ */
+export class PersistenceResearchToolkit {
+    allTechniques;
+    constructor() {
+        this.allTechniques = [
+            ...WINDOWS_PERSISTENCE_TECHNIQUES,
+            ...LINUX_PERSISTENCE_TECHNIQUES,
+            ...CROSS_PLATFORM_PERSISTENCE_TECHNIQUES
+        ];
+    }
+    /**
+     * Get all persistence techniques for a specific platform
+     */
+    getTechniquesByPlatform(platform) {
+        return this.allTechniques.filter(tech => tech.platform === platform || tech.platform === 'cross-platform');
+    }
+    /**
+     * Search techniques by MITRE ATT&CK ID
+     */
+    getTechniquesByMitreId(mitreId) {
+        return this.allTechniques.filter(tech => tech.mitreId === mitreId);
+    }
+    /**
+     * Generate detection rules for a specific technique
+     */
+    generateDetectionRules(techniqueId) {
+        const technique = this.allTechniques.find(t => t.id === techniqueId);
+        if (!technique) {
+            return ['Technique not found'];
+        }
+        const rules = [];
+        // Generate platform-specific detection rules
+        switch (technique.platform) {
+            case 'windows':
+                rules.push(...this.generateWindowsDetectionRules(technique));
+                break;
+            case 'linux':
+                rules.push(...this.generateLinuxDetectionRules(technique));
+                break;
+            default:
+                rules.push(...technique.detectionMethods);
+        }
+        return rules;
+    }
+    /**
+     * Generate Windows-specific detection rules
+     */
+    generateWindowsDetectionRules(technique) {
+        const rules = [];
+        switch (technique.id) {
+            case 'win-registry-run':
+                rules.push('Monitor registry key: HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run', 'Monitor registry key: HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run', 'Use Sysmon Event ID 13 (Registry value set) for monitoring', 'Check for executables in user temp directories or unusual locations');
+                break;
+            case 'win-scheduled-tasks':
+                rules.push('Monitor Task Scheduler events (Event ID 106, 140)', 'Use schtasks /query to list all tasks', 'Check for tasks with SYSTEM privileges', 'Monitor XML task files in C:\\Windows\\System32\\Tasks');
+                break;
+            case 'win-services':
+                rules.push('Monitor Service Control Manager events (Event ID 7045)', 'Use sc query to list services', 'Check for services with unusual image paths', 'Monitor service creation via WMI');
+                break;
+            default:
+                rules.push(...technique.detectionMethods);
+        }
+        return rules;
+    }
+    /**
+     * Generate Linux-specific detection rules
+     */
+    generateLinuxDetectionRules(technique) {
+        const rules = [];
+        switch (technique.id) {
+            case 'linux-cron':
+                rules.push('Monitor /var/spool/cron/crontabs/', 'Check /etc/crontab and /etc/cron.d/*', 'Use auditd to monitor cron job creation', 'Review system logs for cron execution');
+                break;
+            case 'linux-systemd':
+                rules.push('Monitor /etc/systemd/system/ directory', 'Use systemctl list-unit-files to check services', 'Check for services in /usr/lib/systemd/system/', 'Monitor journalctl for service activity');
+                break;
+            case 'linux-ssh-keys':
+                rules.push('Monitor ~/.ssh/authorized_keys file modifications', 'Check /etc/ssh/sshd_config for authorized keys settings', 'Use auditd to monitor SSH key additions', 'Review SSH authentication logs');
+                break;
+            default:
+                rules.push(...technique.detectionMethods);
+        }
+        return rules;
+    }
+    /**
+     * Generate test cases for security validation
+     */
+    generateTestCases(platform) {
+        const techniques = this.getTechniquesByPlatform(platform);
+        const testCases = [];
+        techniques.forEach(technique => {
+            testCases.push(`Test: ${technique.name} (${technique.mitreId || 'N/A'})`);
+            testCases.push(`- Description: ${technique.description}`);
+            testCases.push(`- Detection Methods: ${technique.detectionMethods.join(', ')}`);
+            testCases.push(`- Risk Level: ${technique.riskLevel}`);
+            testCases.push('');
+        });
+        return testCases;
+    }
+    /**
+     * Get remediation guidance for detected techniques
+     */
+    getRemediationGuidance(detectedTechniques) {
+        const guidance = [];
+        detectedTechniques.forEach(detected => {
+            guidance.push(`Technique: ${detected.technique.name}`);
+            guidance.push(`Confidence: ${detected.confidence}`);
+            guidance.push(`Location: ${detected.location}`);
+            guidance.push('Remediation Steps:');
+            detected.technique.remediationSteps.forEach(step => {
+                guidance.push(`  - ${step}`);
+            });
+            guidance.push('');
+        });
+        return guidance;
+    }
+}
+//# sourceMappingURL=persistence-research.js.map

package/dist/security/persistence-research.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"persistence-research.js","sourceRoot":"","sources":["../../src/security/persistence-research.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAmCH;;GAEG;AACH,MAAM,CAAC,MAAM,8BAA8B,GAA2B;IACpE;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,SAAS;QACnB,OAAO,EAAE,WAAW;QACpB,WAAW,EAAE,wEAAwE;QACrF,gBAAgB,EAAE;YAChB,kGAAkG;YAClG,mGAAmG;YACnG,mDAAmD;SACpD;QACD,gBAAgB,EAAE;YAChB,kDAAkD;YAClD,6BAA6B;YAC7B,oCAAoC;SACrC;QACD,SAAS,EAAE,MAAM;KAClB;IACD;QACE,EAAE,EAAE,qBAAqB;QACzB,IAAI,EAAE,iBAAiB;QACvB,QAAQ,EAAE,SAAS;QACnB,OAAO,EAAE,WAAW;QACpB,WAAW,EAAE,+EAA+E;QAC5F,gBAAgB,EAAE;YAChB,+CAA+C;YAC/C,uCAAuC;YACvC,qDAAqD;SACtD;QACD,gBAAgB,EAAE;YAChB,kCAAkC;YAClC,gCAAgC;YAChC,oCAAoC;SACrC;QACD,SAAS,EAAE,MAAM;KAClB;IACD;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,kBAAkB;QACxB,QAAQ,EAAE,SAAS;QACnB,OAAO,EAAE,WAAW;QACpB,WAAW,EAAE,4DAA4D;QACzE,gBAAgB,EAAE;YAChB,+CAA+C;YAC/C,8CAA8C;YAC9C,gDAAgD;SACjD;QACD,gBAAgB,EAAE;YAChB,oCAAoC;YACpC,iCAAiC;YACjC,sCAAsC;SACvC;QACD,SAAS,EAAE,UAAU;KACtB;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,SAAS;QACnB,OAAO,EAAE,WAAW;QACpB,WAAW,EAAE,kFAAkF;QAC/F,gBAAgB,EAAE;YAChB,4CAA4C;YAC5C,iEAAiE;YACjE,8BAA8B;SAC/B;QACD,gBAAgB,EAAE;YAChB,uBAAuB;YACvB,gCAAgC;YAChC,sCAAsC;SACvC;QACD,SAAS,EAAE,QAAQ;KACpB;IACD;QACE,EAAE,EAAE,SAAS;QACb,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,SAAS;QACnB,OAAO,EAAE,WAAW;QACpB,WAAW,EAAE,kEAAkE;QAC/E,gBAAgB,EAAE;YAChB,+BAA+B;YAC/B,qCAAqC;YACrC,gDAAgD;SACjD;QACD,gBAAgB,EAAE;YAChB,0CAA0C;YAC1C,sBAAsB;YACtB,0BAA0B;SAC3B;QACD,SAAS,EAAE,MAAM;KAClB;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,4BAA4B,GAA2B;IAClE;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,WAAW;QACjB,QAAQ,EAAE,OAAO;QACjB,OAAO,EAAE,WAAW;QACpB,WAAW,EAAE,4DAA4D;QACzE,gBAAgB,EAAE;YAChB,oCAAoC;YACpC,iCAAiC;YACjC,8CAA8C;SAC/C;QACD,gBAAgB,EAAE;YAChB,+BAA+B;YAC/B,2BAA2B;YAC3B,gCAAgC;SACjC;QACD,SAAS,EAAE,MAAM;KAClB;IACD;QACE,EAAE,EAAE,eAAe;QACnB,IAAI,EAAE,kBAAkB;QACxB,QAAQ,EAAE,OAAO;QACjB,OAAO,EAAE,WAAW;QACpB,WAAW,EAAE,sDAAsD;QACnE,gBAAgB,EAAE;YAChB,sDAAsD;YACtD,oCAAoC;YACpC,uDAAuD;SACxD;QACD,gBAAgB,EAAE;YAChB,oCAAoC;YACpC,kCAAkC;YAClC,8BAA8B;SAC/B;QACD,SAAS,EAAE,UAAU;KACtB;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,OAAO;QACjB,OAAO,EAAE,WAAW;QACpB,WAAW,EAAE,iDAAiD;QAC9D,gBAAgB,EAAE;YAChB,qCAAqC;YACrC,2BAA2B;YAC3B,+BAA+B;SAChC;QACD,gBAAgB,EAAE;YAChB,8BAA8B;YAC9B,uCAAuC;YACvC,8BAA8B;SAC/B;QACD,SAAS,EAAE,MAAM;KAClB;IACD;QACE,EAAE,EAAE,oBAAoB;QACxB,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,OAAO;QACjB,OAAO,EAAE,WAAW;QACpB,WAAW,EAAE,wFAAwF;QACrG,gBAAgB,EAAE;YAChB,kCAAkC;YAClC,kDAAkD;YAClD,sDAAsD;SACvD;QACD,gBAAgB,EAAE;YAChB,uCAAuC;YACvC,qCAAqC;YACrC,qCAAqC;SACtC;QACD,SAAS,EAAE,QAAQ;KACpB;IACD;QACE,EAAE,EAAE,qBAAqB;QACzB,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,OAAO;QACjB,OAAO,EAAE,WAAW;QACpB,WAAW,EAAE,kEAAkE;QAC/E,gBAAgB,EAAE;YAChB,uCAAuC;YACvC,iCAAiC;YACjC,oCAAoC;SACrC;QACD,gBAAgB,EAAE;YAChB,sCAAsC;YACtC,sCAAsC;YACtC,8BAA8B;SAC/B;QACD,SAAS,EAAE,QAAQ;KACpB;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,qCAAqC,GAA2B;IAC3E;QACE,EAAE,EAAE,0BAA0B;QAC9B,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,gBAAgB;QAC1B,WAAW,EAAE,uDAAuD;QACpE,gBAAgB,EAAE;YAChB,qCAAqC;YACrC,uCAAuC;YACvC,4CAA4C;SAC7C;QACD,gBAAgB,EAAE;YAChB,qCAAqC;YACrC,iCAAiC;YACjC,qCAAqC;SACtC;QACD,SAAS,EAAE,QAAQ;KACpB;IACD;QACE,EAAE,EAAE,qBAAqB;QACzB,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,gBAAgB;QAC1B,WAAW,EAAE,gDAAgD;QAC7D,gBAAgB,EAAE;YAChB,8CAA8C;YAC9C,+BAA+B;YAC/B,2CAA2C;SAC5C;QACD,gBAAgB,EAAE;YAChB,gCAAgC;YAChC,2BAA2B;YAC3B,oCAAoC;SACrC;QACD,SAAS,EAAE,MAAM;KAClB;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,OAAO,0BAA0B;IAC7B,aAAa,CAAyB;IAE9C;QACE,IAAI,CAAC,aAAa,GAAG;YACnB,GAAG,8BAA8B;YACjC,GAAG,4BAA4B;YAC/B,GAAG,qCAAqC;SACzC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,uBAAuB,CAAC,QAAgB;QACtC,OAAO,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CACtC,IAAI,CAAC,QAAQ,KAAK,QAAQ,IAAI,IAAI,CAAC,QAAQ,KAAK,gBAAgB,CACjE,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,sBAAsB,CAAC,OAAe;QACpC,OAAO,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,KAAK,OAAO,CAAC,CAAC;IACrE,CAAC;IAED;;OAEG;IACH,sBAAsB,CAAC,WAAmB;QACxC,MAAM,SAAS,GAAG,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,WAAW,CAAC,CAAC;QACrE,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,OAAO,CAAC,qBAAqB,CAAC,CAAC;QACjC,CAAC;QAED,MAAM,KAAK,GAAa,EAAE,CAAC;QAE3B,6CAA6C;QAC7C,QAAQ,SAAS,CAAC,QAAQ,EAAE,CAAC;YAC3B,KAAK,SAAS;gBACZ,KAAK,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,6BAA6B,CAAC,SAAS,CAAC,CAAC,CAAC;gBAC7D,MAAM;YACR,KAAK,OAAO;gBACV,KAAK,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,2BAA2B,CAAC,SAAS,CAAC,CAAC,CAAC;gBAC3D,MAAM;YACR;gBACE,KAAK,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,gBAAgB,CAAC,CAAC;QAC9C,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACK,6BAA6B,CAAC,SAA+B;QACnE,MAAM,KAAK,GAAa,EAAE,CAAC;QAE3B,QAAQ,SAAS,CAAC,EAAE,EAAE,CAAC;YACrB,KAAK,kBAAkB;gBACrB,KAAK,CAAC,IAAI,CACR,4FAA4F,EAC5F,6FAA6F,EAC7F,4DAA4D,EAC5D,qEAAqE,CACtE,CAAC;gBACF,MAAM;YACR,KAAK,qBAAqB;gBACxB,KAAK,CAAC,IAAI,CACR,mDAAmD,EACnD,uCAAuC,EACvC,wCAAwC,EACxC,wDAAwD,CACzD,CAAC;gBACF,MAAM;YACR,KAAK,cAAc;gBACjB,KAAK,CAAC,IAAI,CACR,wDAAwD,EACxD,+BAA+B,EAC/B,6CAA6C,EAC7C,kCAAkC,CACnC,CAAC;gBACF,MAAM;YACR;gBACE,KAAK,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,gBAAgB,CAAC,CAAC;QAC9C,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACK,2BAA2B,CAAC,SAA+B;QACjE,MAAM,KAAK,GAAa,EAAE,CAAC;QAE3B,QAAQ,SAAS,CAAC,EAAE,EAAE,CAAC;YACrB,KAAK,YAAY;gBACf,KAAK,CAAC,IAAI,CACR,mCAAmC,EACnC,sCAAsC,EACtC,yCAAyC,EACzC,uCAAuC,CACxC,CAAC;gBACF,MAAM;YACR,KAAK,eAAe;gBAClB,KAAK,CAAC,IAAI,CACR,wCAAwC,EACxC,iDAAiD,EACjD,gDAAgD,EAChD,yCAAyC,CAC1C,CAAC;gBACF,MAAM;YACR,KAAK,gBAAgB;gBACnB,KAAK,CAAC,IAAI,CACR,mDAAmD,EACnD,yDAAyD,EACzD,yCAAyC,EACzC,gCAAgC,CACjC,CAAC;gBACF,MAAM;YACR;gBACE,KAAK,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,gBAAgB,CAAC,CAAC;QAC9C,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACH,iBAAiB,CAAC,QAAgB;QAChC,MAAM,UAAU,GAAG,IAAI,CAAC,uBAAuB,CAAC,QAAQ,CAAC,CAAC;QAC1D,MAAM,SAAS,GAAa,EAAE,CAAC;QAE/B,UAAU,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE;YAC7B,SAAS,CAAC,IAAI,CAAC,SAAS,SAAS,CAAC,IAAI,KAAK,SAAS,CAAC,OAAO,IAAI,KAAK,GAAG,CAAC,CAAC;YAC1E,SAAS,CAAC,IAAI,CAAC,kBAAkB,SAAS,CAAC,WAAW,EAAE,CAAC,CAAC;YAC1D,SAAS,CAAC,IAAI,CAAC,wBAAwB,SAAS,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAChF,SAAS,CAAC,IAAI,CAAC,iBAAiB,SAAS,CAAC,SAAS,EAAE,CAAC,CAAC;YACvD,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACrB,CAAC,CAAC,CAAC;QAEH,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACH,sBAAsB,CAAC,kBAAuC;QAC5D,MAAM,QAAQ,GAAa,EAAE,CAAC;QAE9B,kBAAkB,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE;YACpC,QAAQ,CAAC,IAAI,CAAC,cAAc,QAAQ,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC;YACvD,QAAQ,CAAC,IAAI,CAAC,eAAe,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;YACpD,QAAQ,CAAC,IAAI,CAAC,aAAa,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAC;YAChD,QAAQ,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;YACpC,QAAQ,CAAC,SAAS,CAAC,gBAAgB,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE;gBACjD,QAAQ,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC;YAC/B,CAAC,CAAC,CAAC;YACH,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACpB,CAAC,CAAC,CAAC;QAEH,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}