Linux Persistence Mechanisms Investigation Playbook

## 🎯 Overview This playbook provides a structured approach to identifying and analyzing persistence mechanisms on Linux systems during DFIR investigations, threat hunting activities, and CTF scenarios. Persistence is a critical stage in the attack lifecycle, allowing adversaries to maintain long-term access through reboots, user logins, scheduled tasks, services, and remote access mechanisms. ## 🧠 Persistence Coverage 1. [SSH authorized_keys persistence](01-ssh-authorized-keys-persistence.md) 2. [Cron jobs & at jobs abuse](02-cron-and-at-jobs-abuse.md) 3. [Systemd service persistence](03-systemd-service-persistence.md) 4. [Shell startup files persistence](04-shell-startup-files-persistence.md) 5. [Web shell persistence](05-web-shell-persistence.md)