Powershell module that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. Official Twitter/X account @PersistSniper. Made with ❤️ by @last0x00 and @dottor_morte
I provide the project with a fix for a false-positive in the suborner attack caused by a whitespace in the username. This is being caused by a faulty splitting implementation in the Parse-NetUser function.
I tried to keep in touch with your coding style. Another style of fix would possibly be:
I have a user on my test machine called "". Running the suborner attack checks results in a detection because the user gets splitted into two users 1. 2. .
Expected behavior
Users with a whitespace in their name should not cause a suborner attack detection. They should be represented as "".
Root cause
I disovered, that the problem is rooted in the function "parse-netuser". The splitting mechanism causes the whitespace username to be splitted into two seperate accounts. This has been fixed by this pull request.
Hi,
I provide the project with a fix for a false-positive in the suborner attack caused by a whitespace in the username. This is being caused by a faulty splitting implementation in the
Parse-NetUser
function.I tried to keep in touch with your coding style. Another style of fix would possibly be:
Setup
PersistenceSniper 1.15.1
Actual behavior
I have a user on my test machine called " ". Running the suborner attack checks results in a detection because the user gets splitted into two users 1. 2. .
Expected behavior
Users with a whitespace in their name should not cause a suborner attack detection. They should be represented as " ".
Root cause
I disovered, that the problem is rooted in the function "parse-netuser". The splitting mechanism causes the whitespace username to be splitted into two seperate accounts. This has been fixed by this pull request.