PersistenceSniper: A Tool for Tracing Hacker Activity in Windows Systems

PersistenceSniper is a PowerShell-based module designed for Blue Team experts (cybersecurity professionals), system administrators, and incident response specialists. It helps identify various persistence techniques used by attackers in Windows systems. The tool is capable of detecting 56 different techniques, including registry manipulations, DLL exploitation, and other advanced methods.

Features of PersistenceSniper

Comprehensive Search
  • The module is designed to detect 56 different persistence techniques.
  • Analyzes both commonly exploited registry keys and less frequent methods like AppInit_DLLs.
Monitoring and Analysis
  • Tracks user sessions on the device.
  • Examines automatically loaded services.
  • Analyzes autorun techniques.
Ease of Use
  • User-friendly interface tailored for Blue Teams.
  • Generates detailed incident reports.

Requirements for Installation

  • Windows PowerShell version 5.1 or higher.
  • Administrator privileges.

Installation Steps

  1. Open PowerShell and execute the following commands:

git clone https://github.com/last-byte/PersistenceSniper.git
cd PersistenceSniper
Import-Module .\PersistenceSniper.psm1

2. Once the module is successfully imported, you can start using its core commands.

Techniques Detected by PersistenceSniper

Registry-Based Persistence Methods
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • HKLM\SYSTEM\CurrentControlSet\Services
Scheduled Tasks
  • Detects malicious scheduled tasks.
  • Analyzes automated task execution processes.
DLL Hijacking and AppInit_DLLs
  • Identifies changes in AppInit_DLLs configuration.
  • Tracks the exploitation of Dynamic Link Libraries (DLLs).
WMI Events
  • Detects malicious scripts triggered through WMI events.
Startup Folder Usage
  • Analyzes files located in the Startup folder:
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup.

Key Commands for Usage

  • Full system scan:
Invoke-PersistenceScan

Detect specific techniques (e.g., scheduled tasks):

Get-ScheduledTaskPersistence

Identify potential threats in the registry:

Get-RegistryPersistence

Scan WMI events:

Get-WMIPersistence

Practical Applications of the Tool

  1. System Security Analysis:
    This tool can be used to assess the security level of Windows devices in corporate networks.
  2. Post-Hack Investigation:
    Incident Response teams can quickly detect malicious remnants left by attackers.
  3. Automated Report Generation:
    Reports generated after each scan simplify the analysis process.

Limitations and Drawbacks

  1. Not Fully Automated:
    Results require analysis by a cybersecurity expert.
  2. Requires Technical Expertise:
    Effective use of the module requires a solid understanding of Windows internals.

PersistenceSniper is a powerful tool for identifying traces of hacker activity in Windows systems. It helps detect both straightforward registry changes and complex techniques. This module is invaluable for Blue Team specialists, system administrators, and cybersecurity experts, enhancing overall network security.

GitHub Link: PersistenceSniper

Skip to content