Powershell module that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. Official Twitter/X account @PersistSniper. Made with ❤️ by @last0x00 and @dottor_morte
This release implements detections for 2 new persistence techniques (Boot Verification Program Hijacking and App Init DLLs Injection) as well as fix a false positive in the Suborner Attack as reported by @strassi.
This release fixes a gap in the detection of persistences relying on Powershell. The bug was in the Get-IfSafeExecutable function, which calls Get-IfLolbin function, which in turn does not list Powershell.exe as a LOLBin.
This release implements detections for the GhostTask technique.
This release implements a detection for the DSRM backdoor in Domain Controllers, as well as a bug in the Parse-NetUser internal function.
This release implements detection for RID hijacking and the Suborner attack.
This release implements a fix for the Accessibility Tools persistence detection which, up to 1.12.0, did not look for Utilman.exe hijacking.
This release fixes a bug in the OutputCSV parameter, which up to version 1.11.0 would included false positives filtered out by the DiffCSV parameter, as well as implementing support for logging the output of the tool to the Windows Event Log, thanks to Antonio Blescia.
This release fixes a bug in the CmdAutoRun detection and adds three new detections. Check CHANGELOG.
This release fixes a bug in the DiffCSV parameter.
This release adds support for checking artefacts against Virustotal through its APIs (you need a valid API key) using the -VTApiKey
parameter and implements detections for malicious Office templates.