Features:
- Detection for SetupExecuteNoPnpSync
- Enhanced detection for techniques implemented in 1.17.1 (expanded search outside of System32 - credit @sixtyvividtails)
Features:
- Detection for BootExecute and BootExecuteNoPnpSync
- Detection for PlatformExecute
- Detection for SetupExecute
- Detection for Netsh Helper DLL
Fixes:
- Fixed a bug in the remote computer execution which, under certain circumstances, prevented the proper execution of the module
Fixes:
- Fixed a bug in the remote computer execution which, under certain circumstances, prevented the proper execution of the module
- Fixed a bug in the handling of the LSA Notification Package detection (see PR #27)
Fixes:
- Fixed a bug in the Ghost Task function which under certain circumstances prevented the detection of the technique
Features:
- Detection for the BootVerificationProgram hijacking
- Detection for the AppInit DLLs injection Fixes:
- Fixed a false positive in the detection of the Suborner Attack caused by a faulty implementation of the Parse-NetUser internal function
Fixes:
- Fixed a gap in the detection of the techniques which relied on Get-IfSafeExecutable function which would prevent Powershell persistences from showing up
Features:
- Detection for the GhostTask technique Fixes:
- Fixed some minor bugs
Features:
- Detection for the DSRM backdoor Fixes:
- Fixed a bug regarding the Parse-NetUser internal function (see issue #20).
Features:
- Detection for RID hijacking
- Detection for the Suborner technique Fixes:
- Fixed a bug regarding module-wide string comparisons (see issue #19).
Fixes:
- Fixed a bug which prevented the detection of the Utilman.exe hijacking in the Accessibility Tools persistence detection.
Features:
- Save results to the local Windows Event Log Fixes:
- Fixed a bug which saw OutputCSV contain the techniques that should have been filtered out by DiffCSV.
Features:
- Detection for RunEx registry key added
- Detection for RunOnceEx registry key added
- Detection for .NET startup hooks added Fixes:
- Fixed a bug which prevented the detection of CmdAutoRun from working as intended.
Fixes:
- Fixed a bug which prevented -DiffCSV from working as intended.
Features:
- Detection for Office AI.exe hijacking
- Detection for Service Control Manager Security Descriptor tampering
- Detection for Explorer Context Menu hijacking Fixes:
- Fixed handling of system environment variables in the registry
- Fixed the bug in which the script blocked if one of the remote computers was not reachable
Features:
- Added the possibility of passing a Virustotal API key and check if the hash of the detected file is known.
- Malicious Office Templates are now detected
- New license has been implemented.
Fixes:
- Fixed 3 lines of code dealing with minor bugs
Features:
- Added the following persistence techniques:
- Screensaver
- BITS JOb NotifyCmdLine
- Power Automate
Features:
- Added the following persistence techniques:
- AMSI Providers
- Powershell Profiles
- Silent Exit Monitor
- Telemetry Controller Commands
- RDP WDS Startup Programs
- Scheduled Tasks Fixes:
- Fixed minor typos here and there
Fixes:
- the PSM1 is now also signed (it was not in v1.7.0)
Features:
- add support for accessibility tools backdoor detection
Features:
- add support for RDP InitialProgram detection
Features:
- added the
PersistenceMethodparameter in order to selectively check for one persistence technique at a time
Features:
- the module is now digitally signed with a valid code signing certificate
Features:
- a number of new persistence checks have been implemented
Features:
- WMI event subscriptions persistence check has been implemented
Beta release