Skip to content

Commit

Permalink
implemented two new persistences; fixed suborner FP
Browse files Browse the repository at this point in the history
  • Loading branch information
last-byte committed Mar 31, 2024
1 parent ad0087d commit 4bff22f
Show file tree
Hide file tree
Showing 4 changed files with 79 additions and 25 deletions.
7 changes: 7 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,11 @@
# Changelog
## 1.16.0
Features:
- Detection for the BootVerificationProgram hijacking
- Detection for the AppInit DLLs injection
Fixes:
- Fixed a false positive in the detection of the Suborner Attack caused by a faulty implementation of the Parse-NetUser internal function

## 1.15.1
Fixes:
- Fixed a gap in the detection of the techniques which relied on Get-IfSafeExecutable function which would prevent Powershell persistences from showing up
Expand Down
Binary file modified PersistenceSniper/PersistenceSniper.psd1
Binary file not shown.
93 changes: 70 additions & 23 deletions PersistenceSniper/PersistenceSniper.psm1
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
<#PSScriptInfo
.VERSION 1.15.1
.VERSION 1.16.0
.GUID 3ce01128-01f1-4503-8f7f-2e50deb56ebc
Expand Down Expand Up @@ -154,7 +154,9 @@ function Find-AllPersistence {
'RIDHijacking',
'SubornerAttack',
'DSRMBackdoor',
'GhostTask'
'GhostTask',
'BootVerificationProgram',
'AppInitDLLs'
)]
$PersistenceMethod = 'All',

Expand Down Expand Up @@ -430,11 +432,10 @@ function Find-AllPersistence {
}

$contentArray = @()
foreach ($line in $item) {
while ($line.Contains(" ")) {
$line = $line -replace ' ', ' '
foreach ($line in $item -split '\s{2,}') {
if ($line -ne '') {
$contentArray += $line
}
$contentArray += $line.Split(' ')
}

foreach ($content in $contentArray) {
Expand Down Expand Up @@ -1820,6 +1821,7 @@ function Find-AllPersistence {
}
Write-Verbose -Message ''
}

function Get-DotNetStartupHooks {
Write-Verbose -Message "$hostname - Getting DotNet Startup Hooks..."
foreach ($hive in $systemAndUsersHives) {
Expand Down Expand Up @@ -1848,7 +1850,7 @@ function Find-AllPersistence {
}
Write-Verbose -Message ''
}

function Get-SubornerAttack {
$netUsers = net.exe users | Parse-NetUser
$poshUsers = Get-LocalUser | Select-Object Name
Expand All @@ -1860,6 +1862,7 @@ function Find-AllPersistence {
}
Write-Verbose -Message ''
}

function Get-RidHijacking {

Write-Verbose -Message "$hostname - Checking for RID Hijacking"
Expand Down Expand Up @@ -1938,6 +1941,37 @@ function Find-AllPersistence {
}
Write-Verbose -Message ''
}

function Get-BootVerificationProgram {
Write-Verbose -Message "$hostname - Checking for Boot Verification Program hijacking..."
$bootVerificationProgram = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\BootVerificationProgram").ImagePath
if ($bootVerificationProgram) {
Write-Verbose -Message "$hostname - [!] Found custom Boot Verification Program at ImagePath property of the HKLM:\SYSTEM\CurrentControlSet\Control\BootVerificationProgram key!"
$PersistenceObject = New-PersistenceObject -Hostname $hostname -Technique 'Boot Verification Program Hijacking' -Classification 'Uncatalogued Technique N.19' -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath' -Value $bootVerificationProgram -AccessGained 'System' -Note "The executable pointed to by the ImagePath property of the HKLM:\SYSTEM\CurrentControlSet\Control\BootVerificationProgram key is run by the Windows Service Manager at boot time in place of the legitimate Bootvrfy.exe" -Reference 'https://persistence-info.github.io/Data/bootverificationprogram.html'
$null = $persistenceObjectArray.Add($PersistenceObject)
}
Write-Verbose -Message ''
}

function Get-AppInitDLLs {
Write-Verbose -Message "$hostname - Getting AppInit DLLs..."
$appInitDLL = (Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Windows").AppInit_DLLs
if ($appInitDLL) {
Write-Verbose -Message "$hostname - [!] AppInit_DLLs property under the HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Windows key is populated!"
$PersistenceObject = New-PersistenceObject -Hostname $hostname -Technique 'AppInit DLL injection' -Classification 'MITRE ATT&CK T1546.010' -Path 'HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Windows' -Value $appInitDLL -AccessGained 'System/User' -Note "The DLLs specified in the AppInit_DLLs property of the HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Windows key are loaded by user32.dll whenever a new process starts." -Reference 'https://attack.mitre.org/techniques/T1546/010/'
$null = $persistenceObjectArray.Add($PersistenceObject)
}

$appInitDLL = (Get-ItemProperty -Path "HKLM:\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows").AppInit_DLLs
if ($appInitDLL) {
Write-Verbose -Message "$hostname - [!] AppInit_DLLs property under the HKLM:\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows key is populated!"
$PersistenceObject = New-PersistenceObject -Hostname $hostname -Technique 'AppInit DLL injection' -Classification 'MITRE ATT&CK T1546.010' -Path 'HKLM:\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows' -Value $appInitDLL -AccessGained 'System/User' -Note "The DLLs specified in the AppInit_DLLs property of the HKLM:\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows key are loaded by user32.dll whenever a new process starts." -Reference 'https://attack.mitre.org/techniques/T1546/010/'
$null = $persistenceObjectArray.Add($PersistenceObject)
}

Write-Verbose -Message ''
}

function Out-EventLog {

Param (
Expand Down Expand Up @@ -2004,6 +2038,8 @@ function Find-AllPersistence {
'Suborner Attack' = $null
'DSRM Backdoor' = $null
'GhostTask' = $null
'BootVerificationProgram' = $null
'AppInitDLLs' = $null
}

# Collect the keys in a separate list
Expand Down Expand Up @@ -2089,6 +2125,8 @@ function Find-AllPersistence {
Get-RidHijacking
Get-DSRMBackdoor
Get-GhostTask
Get-BootVerificationProgram
Get-AppInitDLLs

if ($IncludeHighFalsePositivesChecks.IsPresent) {
Write-Verbose -Message "$hostname - You have used the -IncludeHighFalsePositivesChecks switch, this may generate a lot of false positives since it includes checks with results which are difficult to filter programmatically..."
Expand Down Expand Up @@ -2318,6 +2356,16 @@ function Find-AllPersistence {
Get-GhostTask
break
}
'BootVerificationProgram'
{
Get-BootVerificationProgram
break
}
'AppInitDLLs'
{
Get-AppInitDLLs
break
}
}
}

Expand Down Expand Up @@ -2375,12 +2423,11 @@ function Find-AllPersistence {

Write-Verbose -Message 'Module execution finished.'
}

# SIG # Begin signature block
# MIIVlQYJKoZIhvcNAQcCoIIVhjCCFYICAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB
# gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR
# AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQU9SiTa0xD0GnMf2t+M6qW2lGJ
# H4KgghH1MIIFbzCCBFegAwIBAgIQSPyTtGBVlI02p8mKidaUFjANBgkqhkiG9w0B
# AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUiPjkk6OPIYFuG1J6aiCVyWL0
# h+egghH1MIIFbzCCBFegAwIBAgIQSPyTtGBVlI02p8mKidaUFjANBgkqhkiG9w0B
# AQwFADB7MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVy
# MRAwDgYDVQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEh
# MB8GA1UEAwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTIxMDUyNTAwMDAw
Expand Down Expand Up @@ -2480,17 +2527,17 @@ function Find-AllPersistence {
# ZDErMCkGA1UEAxMiU2VjdGlnbyBQdWJsaWMgQ29kZSBTaWduaW5nIENBIFIzNgIR
# ANqGcyslm0jf1LAmu7gf13AwCQYFKw4DAhoFAKB4MBgGCisGAQQBgjcCAQwxCjAI
# oAKAAKECgAAwGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIB
# CzEOMAwGCisGAQQBgjcCARUwIwYJKoZIhvcNAQkEMRYEFK607bYv/sX0YdRQRuZR
# j+OLOdmBMA0GCSqGSIb3DQEBAQUABIICAIYW6zYeHFFW1XA66hhxQpxhdNZiczwK
# zEosiMtuOnmnwsLZ3oQcObdIQMCVXjV+HLDdDXI/L+qJJMhaF9fileo3hjGS+AWs
# aG0g5/K5d61BB6ypgHlb/dkrqzhoDbTosZDCK9WWoo37RcvZv+jNuls3IJ9r4E7+
# 24lPxb7TROkBq/C2zkhYT2+OqVLRpKpaai8cKWvNPyJRM/rsZjbuJsD0Qkr8NbCM
# Ki718QLkGHA1dOn3tuGTY5zBCGSkeTGnqaSxK2fDa3zW/c+5ZxxmZOs4tmHrcWVV
# 0N/BP+wQ6ejKlQtZZEyPtEwguLM2EioRipW7wfzUY6T3QYZRjgJvhIRAfCVCJfPJ
# dSjzOMwDekI2hCVfg4f4wQOghtXnzcU3rWgfjfUWg+pfWSDYnEMufI7UcKmkMetz
# fHJB1bLySttljorCRb8voVFcax5EpYPyexoUYnSxkwNwlsKIW+1Vgoj93SmLfnpm
# KnfavplaC6C14cqo3E7NgVjSu1dpkLBKGZ6cEUJt1KI2ubc2ZObB3uy1/gq5JJZk
# jYHPZcGvNqLR000K+sV4T23kKOsR5LjtGzIPmsRUc/7hpKmAKnKjKptmbOGr3iX/
# UDqG6zSaks1fUmpmLkrvsXqHZcimeetIBA8H9fnTIlY3H0iKfAV9CcIjXXDpGgWf
# ykCKkIwijJZg
# CzEOMAwGCisGAQQBgjcCARUwIwYJKoZIhvcNAQkEMRYEFPS/pEkn0cXGewvPHFBm
# 9PsnKwXDMA0GCSqGSIb3DQEBAQUABIICAFsAtmXr8hNrs+uIdkjiSaUqbRqaE8Ng
# RFTX8kSUi3f2DCEgjtBU+nS+50t5Owubdc+zkEVXzFSrJ1A3SrEOzil/yI1JzLNs
# 9UWQqbgkXTs1feb+bqeI9tvK2INDMYqqPZD1IaXmqAIgaXqprVdj2z69c1px4wYF
# wjhoyMn6qbCztumhzdsk/xbZ7HWQ1oZoI7ji9RDrJfXna6vSsCAbEmH7kLEDkbw1
# 4RUpyHS+7wc1NO9fkeg+oEYD3mK8eWfhk7PhSlw94mI4F6L9v8UFUOEnKJWxtGh8
# q/F19YgIBTrQQAokng8Nq+ikzNKcl4jIUDiIv229eZSNct7ia54jYwtphEmxdG8f
# OvxPlpkG8cBnpbjNXVkWDPMh8jFEDoAMctnBbDutsUmUXew9n+gRUNubk9U2GpzD
# D19KCeKaroUNp2pe8Gq9wYIrHHajiaPUedzuGXcN4sr0pWiXQynTBuIYk1yIqBfB
# BVH5tZBhvUYEAOx8f66f+L25JwEE1fyjNI9ti+YfzfrqOgS4mKzvBkRiimjGeWpL
# tYHF6kBCa021bBXwUoHgdXcpGTgAWNbIBhpg6OJ5JhKGVdgisc//Bc/PGRXMWNm4
# 5p+G7iraTsbyo4lrHVg2hE00ynARid6MMs39PpyCqPvItCRoKu3p6ep0a6fyHIG5
# NaCLSEJs0RYu
# SIG # End signature block
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@
<tr>
<td class="tg-0pky"><p align="center">
<img src="https://blog.notso.pro/img/persistencesnipernew4.png" width="40%">
<p align="center"><a href="https://www.powershellgallery.com/packages/PersistenceSniper/"><img src="https://img.shields.io/badge/Language-Powershell-blue" alt="language" style="text-align:center;display:block;"></a> <a href="https://www.powershellgallery.com/packages/PersistenceSniper/"><img src="https://img.shields.io/powershellgallery/v/PersistenceSniper?label=Module%20Version" alt="version shield logo" style="text-align:center;display:block;"></a> <a href="https://github.com/last-byte/PersistenceSniper/wiki/3-%E2%80%90-Detections"><img src="https://img.shields.io/badge/Persistence%20Techniques-54-brightgreen" alt="number of techniques implemented" style="text-align:center;display:block;"></a> <a href="https://www.powershellgallery.com/packages/PersistenceSniper/"><img src="https://img.shields.io/badge/Digital%20Signature-Valid-brightgreen" alt="workflow" style="text-align:center;display:block;"></a> <a href="https://www.powershellgallery.com/packages/PersistenceSniper/"><img src="https://img.shields.io/powershellgallery/dt/PersistenceSniper?label=Gallery%20Downloads" alt="gallery downloads" style="text-align:center;display:block;"></a> <a href="https://twitter.com/PersistSniper"><img src="https://img.shields.io/twitter/follow/PersistSniper?style=social" alt="twitter" style="text-align:center;display:block;"></a> <a href="https://twitter.com/last0x00"><img src="https://img.shields.io/twitter/follow/last0x00?style=social" alt="twitter" style="text-align:center;display:block;"></a> <a href="https://twitter.com/dottor_morte"><img src="https://img.shields.io/twitter/follow/dottor_morte?style=social" alt="twitter_rick" style="text-align:center;display:block;"></a> <a href="https://www.buymeacoffee.com/last0x00"><img src="https://img.shields.io/badge/buy%20me%20a-coffee-yellow" alt="buy me a coffee" style="text-align:center;display:block;"></a></p>
<p align="center">PersistenceSniper is a Powershell module that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. It is also available on <a href=https://www.powershellgallery.com/packages/PersistenceSniper/1.0>Powershell Gallery</a> and it is digitally signed with a valid code signing certificate. The tool is under active development with new releases coming out by the week, so make sure to use the up-to-date version. Official Twitter/X account <a href="https://twitter.com/PersistSniper">@PersistSniper</a>.</p>
<p align="center"><a href="https://www.powershellgallery.com/packages/PersistenceSniper/"><img src="https://img.shields.io/badge/Language-Powershell-blue" alt="language" style="text-align:center;display:block;"></a> <a href="https://www.powershellgallery.com/packages/PersistenceSniper/"><img src="https://img.shields.io/powershellgallery/v/PersistenceSniper?label=Module%20Version" alt="version shield logo" style="text-align:center;display:block;"></a> <a href="https://github.com/last-byte/PersistenceSniper/wiki/3-%E2%80%90-Detections"><img src="https://img.shields.io/badge/Persistence%20Techniques-56-brightgreen" alt="number of techniques implemented" style="text-align:center;display:block;"></a> <a href="https://www.powershellgallery.com/packages/PersistenceSniper/"><img src="https://img.shields.io/badge/Digital%20Signature-Valid-brightgreen" alt="workflow" style="text-align:center;display:block;"></a> <a href="https://www.powershellgallery.com/packages/PersistenceSniper/"><img src="https://img.shields.io/powershellgallery/dt/PersistenceSniper?label=Gallery%20Downloads" alt="gallery downloads" style="text-align:center;display:block;"></a> <a href="https://twitter.com/PersistSniper"><img src="https://img.shields.io/twitter/follow/PersistSniper?style=social" alt="twitter" style="text-align:center;display:block;"></a> <a href="https://twitter.com/last0x00"><img src="https://img.shields.io/twitter/follow/last0x00?style=social" alt="twitter" style="text-align:center;display:block;"></a> <a href="https://twitter.com/dottor_morte"><img src="https://img.shields.io/twitter/follow/dottor_morte?style=social" alt="twitter_rick" style="text-align:center;display:block;"></a> <a href="https://www.buymeacoffee.com/last0x00"><img src="https://img.shields.io/badge/buy%20me%20a-coffee-yellow" alt="buy me a coffee" style="text-align:center;display:block;"></a></p>
<p align="center">PersistenceSniper is a Powershell module that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. It is also available on <a href=https://www.powershellgallery.com/packages/PersistenceSniper>Powershell Gallery</a> and it is digitally signed with a valid code signing certificate. The tool is under active development with new releases coming out by the week, so make sure to use the up-to-date version. Official Twitter/X account <a href="https://twitter.com/PersistSniper">@PersistSniper</a>.</p>
</td>
</tr>
</tbody>
Expand Down

0 comments on commit 4bff22f

Please sign in to comment.