Support to ETW Interfacing

last-byte / PersistenceSniper

Powershell module that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. Official Twitter/X account @PersistSniper. Made with ❤️ by @last0x00 and @dottor_morte

Other

1.83k stars 180 forks source link

Support to ETW Interfacing #18

Closed ablescia closed 1 year ago

ablescia commented 1 year ago

To avoid a deep tool modification submitted here, I created this pull request to add the support only for the ETW interfacing.

In detail, I added a switch argument allowing PersistenceSniper to log entries inside the Application channel.

Find-AllPersistence -OutputETW

Screenshot from 2023-05-15 13-28-10

Screenshot from 2023-05-15 13-29-30

last-byte commented 1 year ago

I slightly modified the code and directly merged it locally. I credited your amazing work at the end of the Interpreting Results section.