decPEAS (Detection PEAS) is a Bash-based security assessment tool for Blue Teamers and DFIR analysts.
Inspired by linPEAS, it focuses not on privilege escalation, but on detecting persistence mechanisms and post-exploitation traces within Linux systems.
Attackers often establish persistence to maintain access after initial compromise.
decPEAS helps defenders detect common and advanced persistence methods by performing a deep inspection of system configurations, startup scripts, and background services.
β System-wide Persistence Checks
- Startup entries in
/etc/rc.local,/etc/init.d/, and systemd services - Cron jobs (
/etc/cron*, user crontabs, anacron) atandbatchscheduled tasks
β User-level Persistence
.bashrc,.profile,.bash_login,.zshrcmodifications- SSH authorized keys and command options
- Hidden scripts in home directories
- Sudoers file abuse for persistence
β Advanced Techniques Detection
- Malicious systemd units or timers
- Modified
/etc/profileor PAM configuration hooks - Suspicious binaries in
$PATH - LD_PRELOAD or LD_LIBRARY_PATH injections
- Kernel modules or backdoored drivers
β Forensic Artifacts
- Recently modified binaries and scripts
- Unusual files in
/tmp,/dev/shm,/var/tmp - Abnormal processes or startup entries
- Potential reverse shells or listener scripts
β Color-coded Output
- π΄ High severity (definitely malicious)
- π‘ Suspicious or uncommon
- π’ Benign / informational
- Linux (tested on Ubuntu, Debian, CentOS, and Kali)
bashβ₯ 4.0- Optional tools (auto-detected):
grep,awk,sed,ps,ls,find,systemctl,crontab
git clone https://github.com/root0x7/decPEAS.git
cd decPEAS
chmod +x decPEAS.shRun it as root for full visibility:
sudo ./decPEAS.shOr scan only the current userβs environment:
./decPEAS.sh --user[+] Checking for systemd persistence...
π΄ Suspicious service found: /etc/systemd/system/ssh-backdoor.service
[+] Checking for modified bash profiles...
π‘ /home/user/.bashrc modified recently (possible persistence)
You can export the results for later analysis:
./decPEAS.sh --output report.txt