search

last-byte / PersistenceSniper

Powershell module that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. Official Twitter/X account @PersistSniper. Made with ā¤ļø by @last0x00 and @dottor_morte
Other
1.83k stars 180 forks source link

RunAndRunOnce Method does not detect powershell.exe entries #23

Closed strassi closed 4 months ago

strassi commented 5 months ago

Hi,

awesome project! I found a bug though, that might be rooted in the way you reference the lolbas project, because this project is missing "powershell.exe" as a lolbin šŸ¤” šŸ¤£

Setup

PersistenceSniper ModuleVersion = '1.15.0'

PSVersion                      5.1.22621.2506
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.22621.2506
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Current Behavior

image I created two Run Keys under the current user (Skype and SymantecEndpointProtection)

image I ran the Persistence Sniper as "Administrator". You can see a modified output that I used for debugging. It states, that the binary is considered safe. This output is given if the Get-IfSafeExecutable is true.

image

The Get-IfSafeExecutable has an additional LolBas check. This checks if the prop value contains a lolbas binary. The problem is, that powershell.exe is not in this list. Since it is a Builtin Binary and the lolbas check fails, the binary is considered safe.

image

image

Expected Behavior

The output of the PersistenceSniper should display the registry key "Skype".

Additional Details

I get the same invalid behavior if I use the -IncludeHighFalsePositivesChecks switch.

Possible solutions

last-byte commented 5 months ago

Mmmmh... This is definitely a bug in that the function should return the presence of the Run key regardless of how safe the binary is considered to be. I'll make sure to fix it right away, thanks for pointing this out!

last-byte commented 4 months ago

I think the most straightforward fix is to just add powershell.exe to the lolbin list. I'm curious though as to why LOLBAS' maintainers did not include Powershell.exe to the list...

last-byte commented 4 months ago

Fixed it in version 1.15.1.