Implementing new output features

[ablescia]

As Threat Hunter I use PersistenceSniper during my Threat Huntig and Incident Response activities. Every time I used this tool I was encouraged by the below issue:

• CSV Export Header problem: PersistenceSniper exports the detected persistence in CSV file format. In the first line, the file contains the #TYPE tag that it is necessary to eliminate to parse correctly the file.
• Only CSV Export: I use PersistenceSniper by deploying it using a GPO and every time I need to write the results of every machine inside a common shared folder. This is very tricky because in production environments I need to collect, store, and compare all the files to detect new persistences.

To resolve these two issues I created a Powershell module that implements the following improvements:

• Removes the #TYPE System.Management.Automation.PSCustomObject header
• Implements new output formats. Now the tool supports CSV, JSON, and Windows Events.

By interfacing the tool with ETW I have two advantages:

• Ship the results to an Elasticsearch/OpenSeach Cluster using winlogbeat.
• Write abstract analytics and create a long-term monitoring program. Every Persistence Technique has its own unique EventId.

[last-byte]

Hi, I decided to implement the CSV fix right away by directly removing the header that was creating you problems by adding the -NoTypeInformation parameter while calling the CSV output function. However, I need some more time to evaluate the other changes you propose as I feel like some of them significantly change how the tool works. However, in the meantime, in order to adapt the output to other formats like JSON, you could use the following hack:

Find-AllPersistence | ConvertTo-Json

[ablescia]

Hi, I decided to implement the CSV fix right away by directly removing the header that was creating you problems by adding the -NoTypeInformation parameter while calling the CSV output function. However, I need some more time to evaluate the other changes you propose as I feel like some of them significantly change how the tool works. However, in the meantime, in order to adapt the output to other formats like JSON, you could use the following hack:

Find-AllPersistence | ConvertTo-Json

We can integrate the ETW interfacing function by default. In this way we could avoid modifying the tool so radically. Meanwhile, we can use the ConvertTo-Json cmdlet to implement the JSON output format as you suggest.

What do you think?