Home
Welcome to the PersistenceSniper Wiki, where you will learn how to deploy and use the PersistenceSniper PowerShell module. This document is comprised of 5 sections (0 through 4):
- 0 - Home: this page;
- 1 - Deployment: how to install and check PersistenceSniper is correctly working;
- 2 - Usage: how to use PersistenceSniper in your environment;
- 3 - Detections: list of all the techniques implemented, along with links to relevant resources.
- 4 - Frequently Asked Questions: the name speaks for itself.
PersistenceSniper is a PowerShell module that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. It is roughly 3000 lines of pure, digitally signed PowerShell code.
I started working on the project in July 2022, when I realised I had no tool in my arsenal to quickly and efficiently check for malicious persistence techniques simultaneously across a number of different hosts, while at the same time being able to filter and compare the results, with the requirement of uploading as little code as possible on the target machines. PersistenceSniper is what came out of that need. Since then I kept on adding new detections, each of them is documented in the Detections section of this document. Following is a quick list of PersistenceSniper's features:
- Monolithic PowerShell module: all the code is in just one file;
- Easily extensible: every persistence detection has its own standalone function;
- Digitally signed with a valid code signing certificate;
- Natively supports PowerShell remoting so that it can be run on multiple remote machines without having to upload the module on each of them and without leaving privileged credentials on said machines;
- Supports whitelists with which you can filter out known false positives and highlight only the bad stuff;
- Compatible with the Velociraptor DFIR framework;