Skip to content

Commit

Permalink
updated to version 1.14.0
Browse files Browse the repository at this point in the history
  • Loading branch information
last-byte committed Nov 4, 2023
1 parent e10e11a commit 4a0ada1
Show file tree
Hide file tree
Showing 4 changed files with 60 additions and 30 deletions.
8 changes: 7 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,16 @@
# Changelog
## 1.14.0
Features:
- Detection for the DSRM backdoor
Fixes:
- Fixed a bug which regarding the Parse-NetUser internal function (see issue #20).

## 1.13.0
Features:
- Detection for RID hijacking
- Detection for the Suborner technique
Fixes:
- Fixed a bug which regarding module-wide string comparisons (see issue #19).
- Fixed a bug regarding module-wide string comparisons (see issue #19).

## 1.12.1
Fixes:
Expand Down
Binary file modified PersistenceSniper/PersistenceSniper.psd1
Binary file not shown.
80 changes: 52 additions & 28 deletions PersistenceSniper/PersistenceSniper.psm1
Original file line number Diff line number Diff line change
@@ -1,33 +1,32 @@
<#PSScriptInfo
.VERSION 1.13.0
.VERSION 1.14.0
.GUID 3ce01128-01f1-4503-8f7f-2e50deb56ebc
.AUTHOR Federico @last0x00 Lagrasta
.DESCRIPTION This module tries to enumerate all the persistence methods implanted on a compromised machine. New techniques may take some time before they are implemented in this script, so don't assume that because the module didn't find anything the machine is clean.
.DESCRIPTION This module tries to enumerate all the persistence techniques implanted on a compromised machine.
.COMPANYNAME @APTortellini
.COPYRIGHT Commons Clause
.TAGS Windows Persistence Detection Blue Team
.TAGS Windows Registry Persistence Detection Blue Purple Red Team Incident Response DFIR IR Forensics AMSI Powershell
.LICENSEURI https://github.com/last-byte/PersistenceSniper/blob/main/LICENSE
.PROJECTURI https://github.com/last-byte/PersistenceSniper
.ICONURI https://github.com/last-byte/PersistenceSniper/blob/main/resources/persistencesniper2.png
.ICONURI https://blog.notso.pro/img/persistencesnipernew4.png
.EXTERNALMODULEDEPENDENCIES
.REQUIREDSCRIPTS
.EXTERNALSCRIPTDEPENDENCIES
.RELEASENOTES
This release implements detection for RID hijacking and the Suborner technique. It also fixes a module-wide bug regarding string comparisons (see issue #19).
.RELEASENOTES Check the CHANGELOG available at the Github Repository.
.PRIVATEDATA
Expand Down Expand Up @@ -154,7 +153,8 @@ function Find-AllPersistence
'RunExAndRunOnceEx',
'DotNetStartupHooks',
'RIDHijacking',
'SubornerAttack'
'SubornerAttack',
'DSRMBackdoor'
)]
$PersistenceMethod = 'All',

Expand Down Expand Up @@ -431,19 +431,24 @@ function Find-AllPersistence
WDAGUtilityAccount
#>

$outputStart = 0
foreach ($item in $input) {
if ($item -eq ""){
if ($item -match '----') {
$outputStart = 1
continue
}
if ($item -match 'User accounts for') {
elseif($outputStart -eq 0)
{
continue
}
elseif ($item -match '----') {
if ($item -eq ""){
continue
}
elseif ($item -match 'The command completed') {
if($item -match '.*\.$')
{
continue
}

$contentArray = @()
foreach ($line in $item) {
while ($line.Contains(" ")){
Expand Down Expand Up @@ -2185,7 +2190,7 @@ function Find-AllPersistence
if($decRid.ToString() -ne $userRid.ToString())
{
Write-Verbose -Message "$hostname - Found username $($user.Name) with hijacked RID $decRid"
$PersistenceObject = New-PersistenceObject -Hostname $hostname -Technique 'RID Hijacking' -Classification 'Uncatalogued Technique N.17' -Path '$user' -Value $decRid -AccessGained 'User/System' -Note 'RID hijacking allows an attacker to covertly replace the RID of a user with the RID of another user, effectively giving the first user all of the privileges of the second user. The second user is usually an Administrator, which allows the first user to gain administrator level privileges while using a non-administrator account.' -Reference 'https://pentestlab.blog/2020/02/12/persistence-rid-hijacking/'
$PersistenceObject = New-PersistenceObject -Hostname $hostname -Technique 'RID Hijacking' -Classification 'Uncatalogued Technique N.17' -Path "$user" -Value $decRid -AccessGained 'User/System' -Note 'RID hijacking allows an attacker to covertly replace the RID of a user with the RID of another user, effectively giving the first user all of the privileges of the second user. The second user is usually an Administrator, which allows the first user to gain administrator level privileges while using a non-administrator account.' -Reference 'https://pentestlab.blog/2020/02/12/persistence-rid-hijacking/'
$null = $persistenceObjectArray.Add($PersistenceObject)
}
}
Expand All @@ -2198,6 +2203,17 @@ function Find-AllPersistence
Write-Verbose -Message ''
}

function Get-DSRMBackdoor
{
Write-Verbose -Message "$hostname - Checking for Directory Services Restore Mode (DSRM) backdoor..."
$dsrmAdminLogonBehavior = (Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa").DsrmAdminLogonBehavior
if($dsrmAdminLogonBehavior -EQ 2)
{
$PersistenceObject = New-PersistenceObject -Hostname $hostname -Technique 'DSRM Backdoor' -Classification 'MITRE ATT&CK T1003.003' -Path 'HKLM:\System\CurrentControlSet\Control\Lsa\DsrmAdminLogonBehavior' -Value $dsrmAdminLogonBehavior -AccessGained 'System' -Note "The password used to enter Directory Services Restore Mode (DSRM) is the password set to the local administrator of a Domain Controller during DCPROMO. If the DsrmAdminLogonBehavior property of the HKLM:\System\CurrentControlSet\Control\Lsa key is set to 2, this password can be used to access the Domain Controller with the local administrator account." -Reference 'https://adsecurity.org/?p=1785'
$null = $persistenceObjectArray.Add($PersistenceObject)
}
Write-Verbose -Message ''
}
function Out-EventLog
{

Expand Down Expand Up @@ -2263,6 +2279,7 @@ function Find-AllPersistence
'DotNet Startup Hooks' = $null
'RID Hijacking' = $null
'Suborner Attack' = $null
'DSRM Backdoor' = $null
}

# Collect the keys in a separate list
Expand Down Expand Up @@ -2347,6 +2364,7 @@ function Find-AllPersistence
Get-DotNetStartupHooks
Get-SubornerAttack
Get-RidHijacking
Get-DSRMBackdoor

if($IncludeHighFalsePositivesChecks.IsPresent)
{
Expand Down Expand Up @@ -2623,8 +2641,14 @@ function Find-AllPersistence
Get-SubornerAttack
break
}
'DSRMBackdoor'
{
Get-DSRMBackdoor
break
}
}
}
}


if($LogFindings.IsPresent)
{
Expand Down Expand Up @@ -2693,8 +2717,8 @@ function Find-AllPersistence
# SIG # Begin signature block
# MIIVlQYJKoZIhvcNAQcCoIIVhjCCFYICAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB
# gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR
# AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUAY88MwrhfgClD3rN/8nhHFZn
# wtCgghH1MIIFbzCCBFegAwIBAgIQSPyTtGBVlI02p8mKidaUFjANBgkqhkiG9w0B
# AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUUrjXS1mhVDswqe2SprN1ekn8
# 1/ugghH1MIIFbzCCBFegAwIBAgIQSPyTtGBVlI02p8mKidaUFjANBgkqhkiG9w0B
# AQwFADB7MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVy
# MRAwDgYDVQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEh
# MB8GA1UEAwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTIxMDUyNTAwMDAw
Expand Down Expand Up @@ -2794,17 +2818,17 @@ function Find-AllPersistence
# ZDErMCkGA1UEAxMiU2VjdGlnbyBQdWJsaWMgQ29kZSBTaWduaW5nIENBIFIzNgIR
# ANqGcyslm0jf1LAmu7gf13AwCQYFKw4DAhoFAKB4MBgGCisGAQQBgjcCAQwxCjAI
# oAKAAKECgAAwGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIB
# CzEOMAwGCisGAQQBgjcCARUwIwYJKoZIhvcNAQkEMRYEFFiz1pkMOk1L/2oNAa+Q
# BQKpoYlcMA0GCSqGSIb3DQEBAQUABIICAF2TCU7e42deBuQu3ZmyBBWmXp3HsXDN
# dbmS8W+2dWe4noxg2tmwA4l62AJelZeIxlleFUUtcqWF90KUkqgTLFTnTbjUSd5a
# KNKY/TnHqZMAZG4AtxqnJS0OWCMn9ZD3pKd6IzryrylO2IukIinz5ldYG38syVMA
# 6fpsUGOwvG7SrbbtHzXrEuehPwNIy7NG4jZJMAvvPwdJtMt24NdXti8UwRat1Q3K
# ylwBVTc/ZCpBpbYMJZJSx8KiDV5ZdK9raAXOf+sIe6fqOEPpaMoCBu3ZA1B8LheI
# twQgqmH+IEHfWUofggqrZb0pPj+wXqYrEcS/ys1BxzNnknkPk5RRVUgMNOEEUfV5
# 5MxhgJ7FRpvCa8y5wbdio4Xf5dlWHY5a2md/IASbQSNW6heaguP6wLghVDJXj/sE
# dumJNVE3WbdMkPG/UMISQVs9fGKmLEV41IQ8QlEOx6ORuxXoy845ojcu/lyz2MA2
# /wa00IgoGEuMN0TEHMhOs1vnwRMN8R2uyTWHO3ojA4rPEtdpOq7b4f/i7qX8y0Cv
# pSbC3zfqcMSwr6iRRmOthn5Hz1YaHWMKFURGMWT9xXaANbVgYLGVfpNDeJM0yT9N
# t6VNmOtMqBj9M7j7ZIf8rSf+TmT6xqDEcPNOGV8QfQyCxCjfMfdLTnAoofB2Qydn
# quHxlZDEQlbI
# CzEOMAwGCisGAQQBgjcCARUwIwYJKoZIhvcNAQkEMRYEFB+0CPb5QSvDDiRC7/BA
# frZKT5gKMA0GCSqGSIb3DQEBAQUABIICAAUYc/XJG41T3RdjVxlJGzJr2d0pvMQM
# n/0StwXXR/2rbp1s2M+4rTPUEEE/6/r0QQusLTsM5A4ZPUfgHv3mU9jlXYKp4fzk
# VIoid+u1Otf4pDZFU+ShVaihPtLZQEvyOopzZtRrrCR7W62j4bQJM80MVUOrc7am
# nDkg7ksXeBLryWFJBN3M4Ei3Z+VDXJrOD9GSe/2IV7EnkgIC3uFjCTwaJl3Oe76p
# xbtvKYv/Tf0LmMk4aS7SAlR/pZnnZAU4WP64+3bkb89pKZCQZ5ArWngpvnut7DPF
# dE2K6F10eY0w8yJ4HcziHU7sVJxS/qxUzW0s1kr99ozjhB8PFNw/10rc5LIaa21j
# mA629ShYb57BQ57/Sel+qonbK4uJnxNufz42nE9KMc+NWUwLHeYIR/PVc433twyz
# eQsKG3fA+DmnyXS4gsHV8YNizkDoFsYVQLBQvWhh30PbkaAJx1HxOoUmvhI4NH70
# K6YueZNCvo5R0moyaxGCyK+/faTgvhiDsBuaxguzLsMZAXAmJ5KWM1ddS3d/39LC
# TzwzjRQ2ZhfDQ7kU3EPJkUsUKweeuhC6W1cRUaj1iuQcvUnLwNGauGzswCQGzEY8
# kAo+sCIQI5Bz2FOuyBu1d+asxo7FFLObu65tiEYJSn9ZtfHEJ0YYjA6UWXSNB1VG
# yabwrU4k8hNb
# SIG # End signature block
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
<tr>
<td class="tg-0pky"><p align="center">
<img src="https://blog.notso.pro/img/persistencesnipernew4.png" width="40%">
<p align="center"><a href="https://www.powershellgallery.com/packages/PersistenceSniper/"><img src="https://img.shields.io/badge/Language-Powershell-blue" alt="language" style="text-align:center;display:block;"></a> <a href="https://www.powershellgallery.com/packages/PersistenceSniper/"><img src="https://img.shields.io/powershellgallery/v/PersistenceSniper?label=Module%20Version" alt="version shield" style="text-align:center;display:block;"></a> <a href="https://github.com/last-byte/PersistenceSniper/wiki/3-%E2%80%90-Detections"><img src="https://img.shields.io/badge/Persistence%20Techniques-52-brightgreen" alt="number of techniques implemented" style="text-align:center;display:block;"></a> <a href="https://www.powershellgallery.com/packages/PersistenceSniper/"><img src="https://img.shields.io/badge/Digital%20Signature-Valid-brightgreen" alt="workflow" style="text-align:center;display:block;"></a> <a href="https://www.powershellgallery.com/packages/PersistenceSniper/"><img src="https://img.shields.io/powershellgallery/dt/PersistenceSniper?label=Gallery%20Downloads" alt="gallery downloads" style="text-align:center;display:block;"></a> <a href="https://twitter.com/PersistSniper"><img src="https://img.shields.io/twitter/follow/PersistSniper?style=social" alt="twitter" style="text-align:center;display:block;"></a> <a href="https://twitter.com/last0x00"><img src="https://img.shields.io/twitter/follow/last0x00?style=social" alt="twitter" style="text-align:center;display:block;"></a> <a href="https://twitter.com/dottor_morte"><img src="https://img.shields.io/twitter/follow/dottor_morte?style=social" alt="twitter_rick" style="text-align:center;display:block;"></a> <a href="https://www.buymeacoffee.com/last0x00"><img src="https://img.shields.io/badge/buy%20me%20a-coffee-yellow" alt="buy me a coffee" style="text-align:center;display:block;"></a></p>
<p align="center"><a href="https://www.powershellgallery.com/packages/PersistenceSniper/"><img src="https://img.shields.io/badge/Language-Powershell-blue" alt="language" style="text-align:center;display:block;"></a> <a href="https://www.powershellgallery.com/packages/PersistenceSniper/"><img src="https://img.shields.io/powershellgallery/v/PersistenceSniper?label=Module%20Version" alt="version shield" style="text-align:center;display:block;"></a> <a href="https://github.com/last-byte/PersistenceSniper/wiki/3-%E2%80%90-Detections"><img src="https://img.shields.io/badge/Persistence%20Techniques-53-brightgreen" alt="number of techniques implemented" style="text-align:center;display:block;"></a> <a href="https://www.powershellgallery.com/packages/PersistenceSniper/"><img src="https://img.shields.io/badge/Digital%20Signature-Valid-brightgreen" alt="workflow" style="text-align:center;display:block;"></a> <a href="https://www.powershellgallery.com/packages/PersistenceSniper/"><img src="https://img.shields.io/powershellgallery/dt/PersistenceSniper?label=Gallery%20Downloads" alt="gallery downloads" style="text-align:center;display:block;"></a> <a href="https://twitter.com/PersistSniper"><img src="https://img.shields.io/twitter/follow/PersistSniper?style=social" alt="twitter" style="text-align:center;display:block;"></a> <a href="https://twitter.com/last0x00"><img src="https://img.shields.io/twitter/follow/last0x00?style=social" alt="twitter" style="text-align:center;display:block;"></a> <a href="https://twitter.com/dottor_morte"><img src="https://img.shields.io/twitter/follow/dottor_morte?style=social" alt="twitter_rick" style="text-align:center;display:block;"></a> <a href="https://www.buymeacoffee.com/last0x00"><img src="https://img.shields.io/badge/buy%20me%20a-coffee-yellow" alt="buy me a coffee" style="text-align:center;display:block;"></a></p>
<p align="center">PersistenceSniper is a Powershell module that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. It is also available on <a href=https://www.powershellgallery.com/packages/PersistenceSniper/1.0>Powershell Gallery</a> and it is digitally signed with a valid code signing certificate. The tool is under active development with new releases coming out by the week, so make sure to use the up-to-date version. Official Twitter/X account <a href="https://twitter.com/PersistSniper">@PersistSniper</a>.</p>
</td>
</tr>
Expand Down

0 comments on commit 4a0ada1

Please sign in to comment.