PersistenceSniper is a Powershell script that can be utilized by Blue Groups, Incident Responders and System Directors to hunt persistences implanted in Home windows machines. The script can also be out there on Powershell Gallery. |
The Why
Why writing such a instrument, you would possibly ask. Properly, for starters, I attempted wanting round and I didn’t discover a instrument which suited my specific use case, which was searching for identified persistence methods, mechanically, throughout a number of machines, whereas additionally having the ability to rapidly and simply parse and examine outcomes. Positive, Sysinternals’ Autoruns is a tremendous instrument and it is undoubtedly price utilizing, however, given it outputs ends in non-standard codecs and cannot be run remotely until you do some shenanigans with its command line equal, I didn’t discover it a very good match for me. Plus, a few of the methods I applied up to now in PersistenceSniper haven’t been applied into Autoruns but, so far as I do know. Anyway, if what you want is a straightforward to make use of, GUI based mostly instrument with numerous already applied options, Autoruns is the best way to go, in any other case let PersistenceSniper have a shot, it will not miss it 🙂
Utilization
Utilizing PersistenceSniper is so simple as:
PS C:> git clone https://github.com/last-byte/PersistenceSniper
PS C:> Import-Module .PersistenceSniperPersistenceSniperPersistenceSniper.psd1
PS C:> Discover-AllPersistence
In case you want an in depth clarification of find out how to use the instrument or which parameters can be found and the way they work, PersistenceSniper’s Discover-AllPersistence
helps Powershell’s assist options, so you may get detailed, up to date assist by utilizing the next command after importing the module:
Get-Assist -Title Discover-AllPersistence -Full
PersistenceSniper’s Discover-AllPersistence
returns an array of objects of sort PSCustomObject with the next properties:
PS C:> Discover-AllPersistence | The place-Object "Entry Gained" -EQ "System"
After all, being PersistenceSniper a Powershell-based instrument, some cool methods could be carried out, like passing its output to Out-GridView
with the intention to have a GUI-based desk to work together with.
Decoding outcomes
As already launched, Discover-AllPersistence
outputs an array of Powershell Customized Objects. Every object has the next properties, which can be utilized to filter, kind and higher perceive the totally different methods the operate appears to be like for:
- ComputerName: that is pretty simple. In case you run
Discover-AllPersistence
with no-ComputerName
parameter, PersistenceSniper will run solely on the native machine. In any other case it’s going to run on the distant pc(s) you specify; - Method: that is the identify of the approach itself, because it’s generally identified in the neighborhood;
- Classification: this property can be utilized to rapidly establish methods based mostly on their MITRE ATT&CK approach and subtechnique quantity. For these methods which do not have a MITRE ATT&CK classification, different classifications are used, the commonest being Hexacorn’s one since a variety of methods have been found by him. When a way’s supply can’t be reliably recognized, the “Uncatalogued Method N.#” classification is used;
- Path: that is the trail, on the filesystem or within the registry, at which the approach has been implanted;
- Worth: that is the worth of the registry property the methods makes use of, or the identify of the executable/library used, in case it is a approach which depends on planting one thing on the filesystem;
- Entry Gained: that is the sort of entry the approach grants the attacker. If it is a Run key below HKCU for instance, the entry gained might be at a person stage, whereas if it is below HKLM it is going to be at system stage;
- Be aware: it is a fast clarification of the approach, in order that its workings could be simply grasped;
- Reference: it is a hyperlink to a extra in-depth clarification of the approach, ought to the analyst want to review it extra.
Coping with false positives
Let’s face it, attempting to find persistence methods additionally comes with having to cope with a variety of false positives. This occurs as a result of, whereas some methods are virtually by no means legimately used, many certainly are by legit software program which must autorun on system boot or person login.
This poses a problem, which in lots of environments could be tackled by making a CSV file containing identified false positives. In case your group deploys techniques utilizing one thing like a golden picture, you’ll be able to run PersistenceSniper on a system you simply created, get a CSV of the outcomes and use it to filter out outcomes on different machines. This strategy comes with the next advantages:
- Not having to handle a whitelist of persistences which could be tedious and error-prone;
- Tailoring the false positives to the organizations, and their organizational items, which use the instrument;
- Making it more durable for attackers who need to mix in false positives by not publicly disclosing them within the instrument’s code.
Discover-AllPersistence
comes with parameters permitting direct output of the findings to a CSV file, whereas additionally having the ability to take a CSV file as enter and diffing the outcomes.
PS C:> Discover-AllPersistence -DiffCSV false_positives.csv
In search of persistences by taking incremental snapshots
One cool method to make use of PersistenceSniper my mate Riccardo steered is to make use of it in an incremental method: you can setup a Scheduled Activity which runs each X hours, takes within the output of the earlier iteration by means of the -DiffCSV
parameter and outputs the outcomes to a brand new CSV. By maintaining observe of the incremental adjustments, it’s best to be capable to spot inside a fairly small timeframe new persistences implanted on the machine you’re monitoring.
Persistence methods applied up to now
The subject of persistence, particularly on Home windows machines, is a type of which see new discoveries principally each different week. Given the sheer quantity of persistence methods discovered up to now by researchers, I’m nonetheless within the strategy of implementing them. To this point the next 31 methods have been applied efficiently:
Credit
The methods applied on this script have already been printed by expert researchers across the globe, so it is proper to offer credit score the place credit score’s due. This undertaking would not be round if it weren’t for:
I might additionally like to offer credit to my fellow mates at @APTortellini, particularly Riccardo Ancarani, for the flood of concepts that helped it develop from a puny text-oriented script to a full-fledged Powershell instrument.
License
This undertaking is below the CC0 1.0 Common license. TL;DR: you’ll be able to copy, modify, distribute and carry out the work, even for industrial functions, all with out asking permission.