{"id":50736382,"url":"https://github.com/blwhit/persistencehunter","last_synced_at":"2026-06-10T14:01:12.919Z","repository":{"id":289139404,"uuid":"969818673","full_name":"blwhit/PersistenceHunter","owner":"blwhit","description":"CLI blue team tool to identify malware persistence in Windows Registry, Scheduled Tasks, Startup Folders, and Services.","archived":false,"fork":false,"pushed_at":"2025-07-21T18:06:52.000Z","size":83,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-07-21T20:20:37.044Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/blwhit.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-04-21T01:36:43.000Z","updated_at":"2025-07-21T18:06:55.000Z","dependencies_parsed_at":"2025-04-21T19:23:09.693Z","dependency_job_id":"b24874e4-d34c-4fa0-bf63-cb22078ea8fc","html_url":"https://github.com/blwhit/PersistenceHunter","commit_stats":null,"previous_names":["blwhit/persistencehunter"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/blwhit/PersistenceHunter","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blwhit%2FPersistenceHunter","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blwhit%2FPersistenceHunter/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blwhit%2FPersistenceHunter/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blwhit%2FPersistenceHunter/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/blwhit","download_url":"https://codeload.github.com/blwhit/PersistenceHunter/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blwhit%2FPersistenceHunter/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34155422,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-10T02:00:07.152Z","response_time":89,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-06-10T14:01:11.326Z","updated_at":"2026-06-10T14:01:12.914Z","avatar_url":"https://github.com/blwhit.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# PersistenceHunter.ps1\n\n### *UPDATED VERSION OF THIS TOOL RELEASED ---\u003e https://github.com/blwhit/AutorunHunter \u003c--- *\n\n---\n\n### Overview\nPowerShell CLI tool for hunting Windows malware persistence mechanisms and suspicious autoruns. This tool automatically finds potential malware footholds by analyzing the Registry, Services, Scheduled Tasks, and Startup Items for:\n\n- Autoruns with invalid signatures\n- Suspicious file paths or references\n- Suspicious execution arguments\n- Embedded IPs/domains in arguments\n- Startup folder path changes via Registry\n- Bootstart key manipulation via Registry\n- Suspicious shortcut targets in the Startup Folder\n- Persistence via AppInitDLLs\n\nPeristenceHunter.ps1 can also be used to enumerate all autoruns for manual review without automatic filtering/flagging.\n\n### Built from sources:\n- [T1547: Boot or Logon Autostart Execution](https://attack.mitre.org/techniques/T1547/001/)\n- [T1053: Scheduled Task/Job](https://attack.mitre.org/techniques/T1053/)\n- [T1546.010: Event Triggered Execution: AppInit DLLs](https://attack.mitre.org/techniques/T1546/010/)\n---\n\n## Function Syntax:\n```powershell\nHunt-Persistence -mode \"Mode\" -strings @(\"exampleString1\", \"exampleString2\", \"exampleString3\") -csv \"C:\\FilePath.csv\"\n```\n\n### Options:\n- **Mode**: Choose the mode for the script to run and determine the output and what to investigate:\n  - `-mode \"Auto\"`: Automatically filter and find active suspicious autoruns that may be potential persistence malware footholds.\n  - `-mode \"All\"`: Return all autoruns and potential persistence mechanisms, no filtering.\n  - `-mode \"Registry\"`: Return all Registry autoruns.\n  - `-mode \"Services\"`: Return all Services autoruns.\n  - `-mode \"Tasks\"`: Return all Scheduled Tasks autoruns.\n  - `-mode \"Startup\"`: Return all Startup item autoruns.\n\n- **strings**: `@(\"exampleString1\", \"exampleString2\", \"exampleString3\")` — List of suspicious strings to hunt for. Must be used with `-Auto` mode.\n- **csv**: `\"C:\\FilePath.csv\"` — Generate a CSV report of the findings, optionally specify a file path.\n\n---\n# Usage Examples: \n\n### Remote Usage:\n```powershell\nInvoke-Expression (Invoke-WebRequest -Uri \"https://raw.githubusercontent.com/blwhit/PersistenceHunter/refs/heads/main/PersistenceHunter.ps1\" -UseBasicP).Content;\nHunt-Persistence\n```\n\n---\n\n### Local Usage w/ Arguments:\n```powershell\nInvoke-Expression (Get-Content \"C:\\Path\\To\\PersistenceHunter.ps1\" -Raw);\nHunt-Persistence -mode \"Mode\" -strings @(\"exampleString1\", \"exampleString2\", \"exampleString3\") -csv \"C:\\FilePath.csv\"\n```\n\n---\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fblwhit%2Fpersistencehunter","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fblwhit%2Fpersistencehunter","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fblwhit%2Fpersistencehunter/lists"}