Using PersistenceSniper is as simple as:
If you need a detailed explanation of how to use the tool or which parameters are available and how they work, PersistenceSniper’s
Find-AllPersistence supports Powershell’s help features, so you can get detailed, updated help by using the following command after importing the module:
Find-AllPersistence returns an array of objects of type PSCustomObject with the following properties:
Of course, being PersistenceSniper a Powershell-based tool, some cool tricks can be performed, like passing its output to
Out-GridView in order to have a GUI-based table to interact with.
As already introduced,
Find-AllPersistence outputs an array of Powershell Custom Objects. Each object has the following properties, which can be used to filter, sort and better understand the different techniques the function looks for:
Let’s face it, hunting for persistence techniques also comes with having to deal with a lot of false positives. This happens because, while some techniques are almost never legimately used, many indeed are by legit software which needs to autorun on system boot or user login.
This poses a challenge, which in many environments can be tackled by creating a CSV file containing known false positives. If your organization deploys systems using something like a golden image, you can run PersistenceSniper on a system you just created, get a CSV of the results and use it to filter out results on other machines. This approach comes with the following benefits:
Find-AllPersistence comes with parameters allowing direct output of the findings to a CSV file, while also being able to take a CSV file as input and diffing the results.
The topic of persistence, especially on Windows machines, is one of those which see new discoveries basically every other week. Given the sheer amount of persistence techniques found so far by researchers, I am still in the process of implementing them. So far the following 31 techniques have been implemented successfully:
The techniques implemented in this script have already been published by skilled researchers around the globe, so it’s right to give credit where credit’s due. This project wouldn’t be around if it weren’t for: