Article Excerpt
PersistenceSniper is a Powershell script that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. The script is also available on Powershell Gallery. Why writing such a tool, you might ask.
property | value |
tags | defensive-tradecraft,github-repo,tactic-persistence,tradecraft-tool |
url | |
original_word_count | 1205 |
Long Summary
PersistenceSniper is a Powershell module designed to help Blue Teams, Incident Responders and System Administrators hunt for persistences implanted in Windows machines. It is available on Powershell Gallery and is digitally signed with a valid code signing certificate. It is easy to use and can be run remotely. It returns an array of objects of type PSCustomObject with properties such as ComputerName, Technique, Classification, Path, Value, Access Gained, Note, Reference, Signature, IsBuiltinBinary, IsLolbin, and VTEntries. It also has parameters allowing direct output of the findings to a CSV file, while also being able to take a CSV file as input and diffing the results.
A cool way to use PersistenceSniper is to use it in an incremental way: you could setup a Scheduled Task which runs every X hours, takes in the output of the previous iteration through the -DiffCSV parameter and outputs the results to a new CSV. This allows for tracking of incremental changes, making it easier to spot new persistences implanted on the machine being monitored.
So far, 47 techniques have been implemented successfully, including Run Key, RunOnce Key, Image File Execution Options, Natural Language Development Platform 6 DLL Override Path, AEDebug Keys, Windows Error Reporting Debugger, Windows Error Reporting ReflectDebugger, Command Prompt AutoRun, Explorer Load, Winlogon Userinit, Winlogon Shell, Windows Terminal startOnUserLogin, AppCertDlls DLL Injection, App Paths Hijacking, ServiceDll Hijacking, Group Policy Extensions DLLs, Winlogon MPNotify, CHM Helper DLL, Hijacking of hhctrl.ocx, Startup Folder, User Init Mpr Logon Script, AutodialDLL Winsock Injection, LSA Extensions DLL, ServerLevelPluginDll DNS Server DLL Hijacking, LSA Authentication Packages DLL, LSA Security Packages DLL, Winlogon Notify Packages DLL, Explorer Tools Hijacking, .NET DbgManagedDebugger, ErrorHandler.cmd Hijacking, WMI Subscriptions, Windows Services, Terminal Services InitialProgram, Accessibility Tools Backdoor, AMSI Providers, Powershell Profiles, Silent Exit Monitor, Telemetry Controller, RDP WDS Startup Programs, Scheduled Tasks, BITS Jobs NotifyCmdLine, Power Autom
Short Summary
š last-byte/PersistenceSniper
šš½ PersistenceSniper is a Powershell script that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. The script is also available on Powershell Gallery. Why writing such a tool, you might ask. šš½ Purpose of the PersistenceSniper Powershell module šš½ Aimed at aiding Blue Teams, Incident Responders, and System Administrators šš½ Helps with the detection of persistences on Windows machines šš½ Available on Powershell Gallery and digitally signed šš½ Easy to use and can be run remotely šš½ Returns an array of objects with various properties šš½ Can output findings to CSV files and diff results against previous iterations šš½ Allows for incremental monitoring and tracking of changes šš½ Currently supports 47 persistence techniques šš½ Includes common tactics such as Run Key and Image File Execution Options.
š source link: https://github.com/last-byte/PersistenceSniper
š summarized content: https://hut.threathunterz.com/battlefield-intel/tradecraft-tools/last-bytepersistencesniper
#PersistenceSniper #Powershell #WindowsMachines #IncrementalTracking #PersistenceTechniques