Closed strassi closed 4 months ago
Mmmmh... This is definitely a bug in that the function should return the presence of the Run key regardless of how safe the binary is considered to be. I'll make sure to fix it right away, thanks for pointing this out!
I think the most straightforward fix is to just add powershell.exe to the lolbin list. I'm curious though as to why LOLBAS' maintainers did not include Powershell.exe to the list...
Hi,
awesome project! I found a bug though, that might be rooted in the way you reference the lolbas project, because this project is missing "powershell.exe" as a lolbin š¤ š¤£
Setup
Current Behavior
Get-IfSafeExecutable
is true.The
Get-IfSafeExecutable
has an additional LolBas check. This checks if the prop value contains a lolbas binary. The problem is, thatpowershell.exe
is not in this list. Since it is a Builtin Binary and the lolbas check fails, the binary is considered safe.Expected Behavior
The output of the PersistenceSniper should display the registry key "Skype".
Additional Details
I get the same invalid behavior if I use the
-IncludeHighFalsePositivesChecks
switch.Possible solutions
powershell.exe
to lolbas projectpowershell.exe
in theGet-ifLolBin
list manuallyGet-ifCmdInterpreter
withpowershell.exe
,cmd.exe
as blacklist to always report persistence using such command line interpreters.