Powershell module that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. Official Twitter/X account @PersistSniper. Made with ❤️ by @last0x00 and @dottor_morte
PersistenceSniper is an excellent tool for detecting persistences on a system. I use it regularly in my daily Threat Hunting activities. But I believe also this tool could significantly enhance a Detection Engineer's program.
For this reason, the Write-ToETW module is essential to forward the PersistenceSniper result to ETW (Event Trace for Windows) and then ingest into a SIEM.
By using a custom provider, we can have preformatted events that do not require parsing during the ingestion phase.
To avoid retro-compatibility problems, this pull request contains a separate folder called Plugins/Write-ToETW that contains the following files:
ETWLib.cs: C# file that contains the EventSource source code
PersistenceSniper.man: ETW instrumentation file for PersistenceSniper logs
WinSDKInstaller: script used to install the Windows SDK. It is necessary to compile the Instrumentation Manifest
Write-ToETW.psm1: PowerShell module that contains the function used to ship the result to the ETW
PersistenceSniper is an excellent tool for detecting persistences on a system. I use it regularly in my daily Threat Hunting activities. But I believe also this tool could significantly enhance a Detection Engineer's program.
For this reason, the Write-ToETW module is essential to forward the PersistenceSniper result to ETW (Event Trace for Windows) and then ingest into a SIEM.
By using a custom provider, we can have preformatted events that do not require parsing during the ingestion phase.
To avoid retro-compatibility problems, this pull request contains a separate folder called
Plugins/Write-ToETW
that contains the following files: