diff --git a/artifacts/files/applications/git.yaml b/artifacts/files/applications/git.yaml
new file mode 100644
index 0000000..3656e34
--- /dev/null
+++ b/artifacts/files/applications/git.yaml
@@ -0,0 +1,28 @@
+version: 1.0
+artifacts:
+# Git hooks/Git pager can be used to run persistence.
+# ref: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
+  -
+    description: Collect Git hooks under .git/hooks directory.
+    supported_os: [linux]
+    collector: file
+    path: /
+    path_pattern: ["*/.git/hooks/*"]
+    file_type: [f]
+  -
+    description: Collect /etc/gitconfig file.
+    supported_os: [linux]
+    collector: file
+    path: /etc/gitconfig
+  -
+    description: Collect ~/.gitconfig file.
+    supported_os: [linux]
+    collector: file
+    path: /%user_home%/.gitconfig
+    exclude_nologin_users: true
+  -
+    description: Collect ~/.config/git/gitconfig file.
+    supported_os: [linux]
+    collector: file
+    path: /%user_home%/.config/git/config
+    exclude_nologin_users: true
diff --git a/profiles/ir_triage.yaml b/profiles/ir_triage.yaml
index f5b3284..f0008c8 100644
--- a/profiles/ir_triage.yaml
+++ b/profiles/ir_triage.yaml
@@ -25,6 +25,7 @@ artifacts:
   - live_response/vms/*
   - chkrootkit/chkrootkit.yaml
   - hash_executables/hash_executables.yaml
+  - files/applications/git.yaml
   - files/applications/lesshst.yaml
   - files/applications/viminfo.yaml
   - files/applications/wget.yaml
@@ -33,4 +34,3 @@ artifacts:
   - files/shell/*
   - files/ssh/*
   - files/system/*
-  
\ No newline at end of file