last-byte / persistencesniper Goto Github PK

Any chance this could be made to point towards a mounted image? Great project!!

Hi, love the tool.

I have a vm with a working ghosttask loaded (restarted and all that, and confirmed the ghosttask is functioning). I can see it in my regedit \tasks, and I can see it doesn't have a SD, as expected. I can see it doing the action I made it do.

Running the latest PersistenceSniper v1.16.0, I can't seem to detect it. I see a bunch of other false-positives, so the tool itself is working, but no output relating to ghosttask.

Thank you for your great tool

I found that on non-English Windows localisation, I have false positives from the first and the last line (a record per word). The screenshot below shows current users and a different line on the bottom.

I suggest to rewrite Parse-NetUser function filter out anything above ------, empty lines and don't parse the last line. E.g. on next line parse previous line if any. This would harden this function and won't rely on English locale messages.

To translate some messages:
Konta użytkowników dla - User accounts for
Gość - Guest
Domyślny użytkownik - Default user
Polecenie zostało wykonane pomyślnie. - The command completed

Green boxes on a screenshot hide private information like username and computer name.

In regulated environments it may be difficult to run the script given it's not digitally signed. Would be great if you added that as a feature. Thanks!

Amazing tool, has helped me multiple times. Thank you for making it.
I just had a feature request, while for active system this tool does wonders, can it be moded to also support disk images of OS drive? I believe some persistence techniques will be visible work in such a case but still would be a big help for DFIR people dealing with just a device image. Let me know if this is possible/in works I can help although I'm not very good at powershell still more hands might help.

Again thanks a lot.

Hi,

awesome project! I found a bug though, that might be rooted in the way you reference the lolbas project, because this project is missing "powershell.exe" as a lolbin 🤔 🤣

Setup

PersistenceSniper ModuleVersion = '1.15.0'

PSVersion                      5.1.22621.2506
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.22621.2506
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Current Behavior

I created two Run Keys under the current user (Skype and SymantecEndpointProtection)

I ran the Persistence Sniper as "Administrator". You can see a modified output that I used for debugging. It states, that the binary is considered safe. This output is given if the Get-IfSafeExecutable is true.

The Get-IfSafeExecutable has an additional LolBas check. This checks if the prop value contains a lolbas binary. The problem is, that powershell.exe is not in this list. Since it is a Builtin Binary and the lolbas check fails, the binary is considered safe.

Expected Behavior

The output of the PersistenceSniper should display the registry key "Skype".

Additional Details

I get the same invalid behavior if I use the -IncludeHighFalsePositivesChecks switch.

Possible solutions

• add powershell.exe to lolbas project
• implement powershell.exe in the Get-ifLolBin list manually
• implement a Get-ifCmdInterpreter with powershell.exe, cmd.exe as blacklist to always report persistence using such command line interpreters.

Hi,
Would it be difficult and is it planned to support offline data like disk images?
Kind regards
Laurent

Feature request to add a way to output the contents of powershell console history that can show the attackers commands.
https://0xdf.gitlab.io/2018/11/08/powershell-history-file.html

Hey, I created an Arch Linux package of PersistenceSniper for blackarch-windows and blackarch-defensive categories in order to be installed by pacman -S persistencesniper and then deployed to a Windows environment.

It will be available when the PR will be merged in few days.

You can find the PR here: BlackArch/blackarch#3822

Cheers

AV

The module in PS gallery and details here does not indicate any dependency. However, when attempting to import the module of PS version 4 indicates that PersistenceSniper requires PS version 5. Please clarify

The code in this module makes significant use of .Contains to look for sub-strings. For example:

$exePath.Contains('powershell') -or $exePath.Contains('cmd')

However, the .Contains method of System.String is case-sensitive and, in win PS (.NET Framework), has no overloads available to make ignore case.

This use of .Contains will yield false and you'll miss things:

$exePath = 'c:\somepath\PowerShell.exe'
$exePath.Contains('powershell')

I suggest one of:

• Use a PS operator such as -match. For example: $exePath -match 'powershell'
• Convert incoming strings to the same case for the purpose of comparison. For example: $exePath.ToLower().Contains...
• Substitute use of this method for another that supports case insensitive comparisons. For example: $exePath.IndexOf('powershell', [StringComparer]::OrdinalIgnoreCase) -gt -1

Hy i have this error

ackageManagement\Install-Package : Nessuna corrispondenza trovata per i criteri di ricerca specificati e il nome di
pacchetto 'PersistenceSniper'. Prova Get-PSRepository per visualizzare tutte le origini dei pacchetti registrate
disponibili.
In C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:1809 car:21

• ... $null = PackageManagement\Install-Package @PSBoundParameters

•                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : ObjectNotFound: (Microsoft.Power....InstallPackage:InstallPackage) [Install-Package], Ex
    ception
  • FullyQualifiedErrorId : NoMatchFoundForCriteria,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackage

Help :)