PersistenceSniper is a Powershell tool that Blue Teams, Incident Responders, and System Administrators can use to find persistent threats on Windows machines. It is also on Powershell Gallery, and a legal code signing certificate has been used to digitally sign it. The tool is still being worked on, and new versions come out every week, so make sure to use the most recent one. @PersistSniper is the official Twitter/X handle.
Why writing such a tool, you might ask. Well, for starters, I tried looking around and I did not find a tool which fit my particular use case, which was looking for known persistence techniques, automatically, across multiple machines, while also being able to quickly and easily parse and compare results. Sure, Sysinternals’ Autoruns is an amazing tool and it’s definitely worth using, but, given it outputs data in non-standard formats and can’t be run remotely unless you do some shenanigans with its command line equivalent, I did not find it a good fit for me. Plus, some of the techniques I implemented so far in PersistenceSniper have not been put into Autoruns yet, as far as I know. Anyway, if what you need is an easy to use, GUI based tool with lots of already developed features, Autoruns is the way to go, otherwise let PersistenceSniper have a shot, it won’t miss it 🙂
Using PersistenceSniper is as simple as firing up Powershell as Administrator and running:
PS C:\> Install-Module PersistenceSniper
PS C:\> Import-Module PersistenceSniper
PS C:\> Find-AllPersistence
This will install the PersistenceSniper module using the Powershell Gallery version (which is automatically updated through a Github action every time a new version is pushed here on Github). Otherwise, you can use the Github hosted version:
PS C:\> git clone https://github.com/last-byte/PersistenceSniper
PS C:\> Import-Module .\PersistenceSniper\PersistenceSniper\PersistenceSniper.psd1
PS C:\> Find-AllPersistence
If you need a detailed explanation of how to use the tool or which parameters are available and how they work, PersistenceSniper’s Find-AllPersistence
supports Powershell’s help features, so you can get detailed, updated help by using the following command after importing the module:
Get-Help -Name Find-AllPersistence -Full
If you only want to check for a single persistence technique, you can rely on Find-AllPersistence
‘s PersistenceMethod
parameter. Say, for example, you only want to check for persistences implanted through the Run and RunOnce registry keys:
PS C:\> Find-AllPersistence -PersistenceMethod RunAndRunOnce
The PersistenceMethod
parameter uses Powershell’s ValidateSet
directive, so you can tab through it instead of writing down the persistence method of choice.
PersistenceSniper’s Find-AllPersistence
returns an array of objects of type PSCustomObject with the following properties:
$PersistenceObject = [PSCustomObject]@{
'ComputerName' = $ComputerName
'Technique' = $Technique
'Classification' = $Classification
'Path' = $Path
'Value' = $Value
'Access Gained' = $AccessGained
'Note' = $Note
'Reference' = $Reference
'Signature' = Find-CertificateInfo (Get-ExecutableFromCommandLine $Value)
'IsBuiltinBinary' = Get-IfBuiltinBinary (Get-ExecutableFromCommandLine $Value)
'IsLolbin' = Get-IfLolBin (Get-ExecutableFromCommandLine $Value)
'VTEntries' = CheckHashAgainstVT(Get-ExecutableFromCommandLine $Value)
}
This allows for easy output formatting and filtering. Let’s say you only want to see the persistences that will allow the attacker to regain access as NT AUTHORITY\SYSTEM (aka System):
PS C:\> Find-AllPersistence | Where-Object "Access Gained" -EQ "System"
Of course, being PersistenceSniper a Powershell-based tool, some cool tricks can be performed, like passing its output to Out-GridView
in order to have a GUI-based table to interact with.
As already introduced, Find-AllPersistence
outputs an array of Powershell Custom Objects. Each object has the following properties, which can be used to filter, sort and better understand the different techniques the function looks for:
Find-AllPersistence
without a -ComputerName
parameter, PersistenceSniper will run only on the local machine. Otherwise it will run on the remote computer(s) you specify;-VTApiKey
is present; a value different from “N/A” will indicate that the identified file is known and has zero or more detections.Thanks to Antonio Blescia Find-AllPersistence
now supports the -LogFindings
parameter, which saves the output of the tool in the Windows Event Log, under Windows Logs\Application
with source PersistenceSniper
.
Let’s face it, hunting for persistence techniques also comes with having to deal with a lot of false positives. This happens because, while some techniques are almost never legimately used, many indeed are by legit software which needs to autorun on system boot or user login.
This poses a challenge, which in many environments can be tackled by creating a CSV file containing known false positives. If your organization deploys systems using something like a golden image, you can run PersistenceSniper on a system you just created, get a CSV of the results and use it to filter out results on other machines. This approach comes with the following benefits:
Find-AllPersistence
comes with parameters allowing direct output of the findings to a CSV file, while also being able to take a CSV file as input and diffing the results.
PS C:\> Find-AllPersistence -DiffCSV false_positives.csv
One cool way to use PersistenceSniper my mate Riccardo suggested is to use it in an incremental way: you could setup a Scheduled Task which runs every X hours, takes in the output of the previous iteration through the -DiffCSV
parameter and outputs the results to a new CSV. By keeping track of the incremental changes, you should be able to spot within a reasonably small time frame new persistences implanted on the machine you are monitoring.
The topic of persistence, especially on Windows machines, is one of those which see new discoveries basically every other week. Given the sheer amount of persistence techniques found so far by researchers, I am still in the process of implementing them. So far the following 50 techniques have been implemented successfully:
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…