PersistenceSniper is a Powershell script that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. The script is also available on Powershell Gallery.
Why writing such a tool, you might ask. Well, for starters, I tried looking around and I did not find a tool which suited my particular use case, which was looking for known persistence techniques, automatically, across multiple machines, while also being able to quickly and easily parse and compare results. Sure, Sysinternals’ Autoruns is an amazing tool and it’s definitely worth using, but, given it outputs results in non-standard formats and can’t be run remotely unless you do some shenanigans with its command line equivalent, I did not find it a good fit for me. Plus, some of the techniques I implemented so far in PersistenceSniper have not been implemented into Autoruns yet, as far as I know. Anyway, if what you need is an easy to use, GUI based tool with lots of already implemented features, Autoruns is the way to go, otherwise let PersistenceSniper have a shot, it won’t miss it 🙂
Using PersistenceSniper is as simple as:
PS C:> git clone https://github.com/last-byte/PersistenceSniper
PS C:> Import-Module .PersistenceSniperPersistenceSniperPersistenceSniper.psd1
PS C:> Find-AllPersistence
If you need a detailed explanation of how to use the tool or which parameters are available and how they work, PersistenceSniper’s
Find-AllPersistence supports Powershell’s help features, so you can get detailed, updated help by using the following command after importing the module:
Get-Help -Name Find-AllPersistence -Full
Find-AllPersistence returns an array of objects of type PSCustomObject with the following properties:
PS C:> Find-AllPersistence | Where-Object "Access Gained" -EQ "System"
Of course, being PersistenceSniper a Powershell-based tool, some cool tricks can be performed, like passing its output to
Out-GridView in order to have a GUI-based table to interact with.
As already introduced,
Find-AllPersistence outputs an array of Powershell Custom Objects. Each object has the following properties, which can be used to filter, sort and better understand the different techniques the function looks for:
- ComputerName: this is fairly straightforward. If you run
-ComputerNameparameter, PersistenceSniper will run only on the local machine. Otherwise it will run on the remote computer(s) you specify;
- Technique: this is the name of the technique itself, as it’s commonly known in the community;
- Classification: this property can be used to quickly identify techniques based on their MITRE ATT&CK technique and subtechnique number. For those techniques which don’t have a MITRE ATT&CK classification, other classifications are used, the most common being Hexacorn’s one since a lot of techniques were discovered by him. When a technique’s source cannot be reliably identified, the “Uncatalogued Technique N.#” classification is used;
- Path: this is the path, on the filesystem or in the registry, at which the technique has been implanted;
- Value: this is the value of the registry property the techniques uses, or the name of the executable/library used, in case it’s a technique which relies on planting something on the filesystem;
- Access Gained: this is the kind of access the technique grants the attacker. If it’s a Run key under HKCU for example, the access gained will be at a user level, while if it’s under HKLM it will be at system level;
- Note: this is a quick explanation of the technique, so that its workings can be easily grasped;
- Reference: this is a link to a more in-depth explanation of the technique, should the analyst need to study it more.
Dealing with false positives
Let’s face it, hunting for persistence techniques also comes with having to deal with a lot of false positives. This happens because, while some techniques are almost never legimately used, many indeed are by legit software which needs to autorun on system boot or user login.
This poses a challenge, which in many environments can be tackled by creating a CSV file containing known false positives. If your organization deploys systems using something like a golden image, you can run PersistenceSniper on a system you just created, get a CSV of the results and use it to filter out results on other machines. This approach comes with the following benefits:
- Not having to manage a whitelist of persistences which can be tedious and error-prone;
- Tailoring the false positives to the organizations, and their organizational units, which use the tool;
- Making it harder for attackers who want to blend in false positives by not publicly disclosing them in the tool’s code.
Find-AllPersistence comes with parameters allowing direct output of the findings to a CSV file, while also being able to take a CSV file as input and diffing the results.
PS C:> Find-AllPersistence -DiffCSV false_positives.csv
Looking for persistences by taking incremental snapshots
One cool way to use PersistenceSniper my mate Riccardo suggested is to use it in an incremental way: you could setup a Scheduled Task which runs every X hours, takes in the output of the previous iteration through the
-DiffCSV parameter and outputs the results to a new CSV. By keeping track of the incremental changes, you should be able to spot within a reasonably small time frame new persistences implanted on the machine you are monitoring.
Persistence techniques implemented so far
The topic of persistence, especially on Windows machines, is one of those which see new discoveries basically every other week. Given the sheer amount of persistence techniques found so far by researchers, I am still in the process of implementing them. So far the following 31 techniques have been implemented successfully:
- Run Key
- RunOnce Key
- Image File Execution Options
- Natural Language Development Platform 6 DLL Override Path
- AEDebug Keys
- Windows Error Reporting Debugger
- Windows Error Reporting ReflectDebugger
- Command Prompt AutoRun
- Explorer Load
- Winlogon Userinit
- Winlogon Shell
- Windows Terminal startOnUserLogin
- AppCertDlls DLL Injection
- App Paths Hijacking
- ServiceDll Hijacking
- Group Policy Extensions DLLs
- Winlogon MPNotify
- CHM Helper DLL
- Hijacking of hhctrl.ocx
- Startup Folder
- User Init Mpr Logon Script
- AutodialDLL Winsock Injection
- LSA Extensions DLL
- ServerLevelPluginDll DNS Server DLL Hijacking
- LSA Authentication Packages DLL
- LSA Security Packages DLL
- Winlogon Notify Packages DLL
- Explorer Tools Hijacking
- .NET DbgManagedDebugger
- ErrorHandler.cmd Hijacking
- WMI Subscriptions
The techniques implemented in this script have already been published by skilled researchers around the globe, so it’s right to give credit where credit’s due. This project wouldn’t be around if it weren’t for:
- Hexacorn and his never-ending Beyond good ol’ Run key series;
- Grzegorz Tworek and his amazing persistence-info.github.io website;
- All the other researchers who disclosed cool and unknown persistence techniques.
I’d also like to give credits to my fellow mates at @APTortellini, in particular Riccardo Ancarani, for the flood of ideas that helped it grow from a puny text-oriented script to a full-fledged Powershell tool.
This project is under the CC0 1.0 Universal license. TL;DR: you can copy, modify, distribute and perform the work, even for commercial purposes, all without asking permission.