last-byte/PersistenceSniper

Article Excerpt

PersistenceSniper is a Powershell script that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. The script is also available on Powershell Gallery. Why writing such a tool, you might ask.

property
value
tags
defensive-tradecraft,github-repo,tactic-persistence,tradecraft-tool
url
original_word_count
1205

Long Summary

PersistenceSniper is a Powershell module designed to help Blue Teams, Incident Responders and System Administrators hunt for persistences implanted in Windows machines. It is available on Powershell Gallery and is digitally signed with a valid code signing certificate. It is easy to use and can be run remotely. It returns an array of objects of type PSCustomObject with properties such as ComputerName, Technique, Classification, Path, Value, Access Gained, Note, Reference, Signature, IsBuiltinBinary, IsLolbin, and VTEntries. It also has parameters allowing direct output of the findings to a CSV file, while also being able to take a CSV file as input and diffing the results.

A cool way to use PersistenceSniper is to use it in an incremental way: you could setup a Scheduled Task which runs every X hours, takes in the output of the previous iteration through the -DiffCSV parameter and outputs the results to a new CSV. This allows for tracking of incremental changes, making it easier to spot new persistences implanted on the machine being monitored.

So far, 47 techniques have been implemented successfully, including Run Key, RunOnce Key, Image File Execution Options, Natural Language Development Platform 6 DLL Override Path, AEDebug Keys, Windows Error Reporting Debugger, Windows Error Reporting ReflectDebugger, Command Prompt AutoRun, Explorer Load, Winlogon Userinit, Winlogon Shell, Windows Terminal startOnUserLogin, AppCertDlls DLL Injection, App Paths Hijacking, ServiceDll Hijacking, Group Policy Extensions DLLs, Winlogon MPNotify, CHM Helper DLL, Hijacking of hhctrl.ocx, Startup Folder, User Init Mpr Logon Script, AutodialDLL Winsock Injection, LSA Extensions DLL, ServerLevelPluginDll DNS Server DLL Hijacking, LSA Authentication Packages DLL, LSA Security Packages DLL, Winlogon Notify Packages DLL, Explorer Tools Hijacking, .NET DbgManagedDebugger, ErrorHandler.cmd Hijacking, WMI Subscriptions, Windows Services, Terminal Services InitialProgram, Accessibility Tools Backdoor, AMSI Providers, Powershell Profiles, Silent Exit Monitor, Telemetry Controller, RDP WDS Startup Programs, Scheduled Tasks, BITS Jobs NotifyCmdLine, Power Autom

Short Summary

šŸ““ last-byte/PersistenceSniper

šŸ‘‰šŸ½ PersistenceSniper is a Powershell script that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. The script is also available on Powershell Gallery. Why writing such a tool, you might ask. šŸ‘‰šŸ½ Purpose of the PersistenceSniper Powershell module šŸ‘‰šŸ½ Aimed at aiding Blue Teams, Incident Responders, and System Administrators šŸ‘‰šŸ½ Helps with the detection of persistences on Windows machines šŸ‘‰šŸ½ Available on Powershell Gallery and digitally signed šŸ‘‰šŸ½ Easy to use and can be run remotely šŸ‘‰šŸ½ Returns an array of objects with various properties šŸ‘‰šŸ½ Can output findings to CSV files and diff results against previous iterations šŸ‘‰šŸ½ Allows for incremental monitoring and tracking of changes šŸ‘‰šŸ½ Currently supports 47 persistence techniques šŸ‘‰šŸ½ Includes common tactics such as Run Key and Image File Execution Options.

#PersistenceSniper #Powershell #WindowsMachines #IncrementalTracking #PersistenceTechniques