search

last-byte / PersistenceSniper

Powershell module that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. Official Twitter/X account @PersistSniper. Made with ❤️ by @last0x00 and @dottor_morte
Other
1.83k stars 180 forks source link

Username containing whitespaces causes suborner attack false-positive #24

Closed strassi closed 3 months ago

strassi commented 4 months ago

Hi,

I provide the project with a fix for a false-positive in the suborner attack caused by a whitespace in the username. This is being caused by a faulty splitting implementation in the Parse-NetUser function.

I tried to keep in touch with your coding style. Another style of fix would possibly be:

$contentArray += $item| ForEach-Object {
    $_ -split '\s{2,}' | Where-Object { $_ -ne '' }
}

Setup

PersistenceSniper 1.15.1

Actual behavior

I have a user on my test machine called " ". Running the suborner attack checks results in a detection because the user gets splitted into two users 1. 2. .

Expected behavior

Users with a whitespace in their name should not cause a suborner attack detection. They should be represented as " ".

Root cause

I disovered, that the problem is rooted in the function "parse-netuser". The splitting mechanism causes the whitespace username to be splitted into two seperate accounts. This has been fixed by this pull request.

last-byte commented 3 months ago

I directly implemented the suggested change in v1.16.0. Thank you!