v0.4.3: AMSI registry checks, skippable baseline, ASCII CI box, pre-commit hook, TrustedAppDirs in process checks

Made-with: Cursor

Author: TMHSDigital

.githooks/pre-commit

@@ -0,0 +1,27 @@
+#!/bin/sh
+# Pre-commit hook: enforce UTF-8 BOM on all staged .ps1 files.
+# PowerShell 5.1 reads files without BOM as Windows-1252, which corrupts
+# non-ASCII characters (box-drawing, checkmarks) and causes parse errors.
+
+missing=""
+
+for file in $(git diff --cached --name-only --diff-filter=ACM | grep '\.ps1$'); do
+    # Read first 3 bytes and check for UTF-8 BOM (EF BB BF)
+    bom=$(head -c 3 "$file" | od -An -tx1 | tr -d ' \n')
+    if [ "$bom" != "efbbbf" ]; then
+        missing="$missing\n  $file"
+    fi
+done
+
+if [ -n "$missing" ]; then
+    echo ""
+    echo "ERROR: The following .ps1 files are missing a UTF-8 BOM:"
+    printf "$missing\n"
+    echo ""
+    echo "Fix by running: pwsh -File fix-bom.ps1  (or: powershell -File fix-bom.ps1)"
+    echo "Then re-stage the files and commit again."
+    echo ""
+    exit 1
+fi
+
+exit 0

AmIHacked.ps1

@@ -79,7 +79,7 @@ if ($script:NonInteractive) {
 }
 $script:RedactMap = @{}
 
-$script:Version = "0.4.2"
+$script:Version = "0.4.3"
 
 # ── Helpers (loaded first) ───────────────────────────────────────────────────
 
@@ -178,16 +178,29 @@ if ($script:RedactMode) {
 
 $defaultBaselinePath = Join-Path (Join-Path $PSScriptRoot "reports") "baseline_latest.json"
 
-if ($BaselinePath -and (Test-Path $BaselinePath)) {
-    Write-Section "Baseline Comparison"
-    Compare-Baseline -BaselinePath $BaselinePath
-} elseif (-not $BaselinePath -and (Test-Path $defaultBaselinePath)) {
-    Write-Section "Baseline Comparison"
-    Compare-Baseline -BaselinePath $defaultBaselinePath
-} elseif (-not $CreateBaseline) {
-    Add-Finding -Severity "INFO" -Category "General" -Title "No Baseline Found" `
-        -Description "No baseline snapshot exists for comparison. Run with -CreateBaseline on a known-clean system to enable change detection on future scans." `
-        -Remediation ".\AmIHacked.ps1 -CreateBaseline"
+if ('Baseline' -notin $SkipModules) {
+    if ($BaselinePath -and (Test-Path $BaselinePath)) {
+        Write-Section "Baseline Comparison"
+        Compare-Baseline -BaselinePath $BaselinePath
+    } elseif (-not $BaselinePath -and (Test-Path $defaultBaselinePath)) {
+        Write-Section "Baseline Comparison"
+        Compare-Baseline -BaselinePath $defaultBaselinePath
+    } elseif (-not $CreateBaseline) {
+        Add-Finding -Severity "INFO" -Category "General" -Title "No Baseline Found" `
+            -Description "No baseline snapshot exists for comparison. Run with -CreateBaseline on a known-clean system to enable change detection on future scans." `
+            -Remediation ".\AmIHacked.ps1 -CreateBaseline"
+    }
+}
+
+# ── Preflight: Signature Verification Capability ─────────────────────────────
+
+Import-Module Microsoft.PowerShell.Security -Force -ErrorAction SilentlyContinue -WarningAction SilentlyContinue 2>$null
+$script:SignatureCheckAvailable = $null -ne (Get-Command Get-AuthenticodeSignature -ErrorAction SilentlyContinue)
+if (-not $script:SignatureCheckAvailable) {
+    Add-Finding -Severity "WARNING" -Category "General" `
+        -Title "Signature Verification Degraded" `
+        -Description "The PowerShell Security module (Microsoft.PowerShell.Security) could not be loaded in this session. Authenticode signature checks will be skipped or may produce false positives. Affected checks: AMSI DLL integrity, COM hijack detection, unsigned process/file detection." `
+        -Remediation "Run the scan in a fresh PowerShell session. If the issue persists, run 'sfc /scannow' to repair PowerShell modules."
 }
 
 # ── Dynamic Module Discovery ─────────────────────────────────────────────────
@@ -318,40 +331,65 @@ $w = 44
 
 Write-Host ""
 Write-Host ""
-Write-Host "  ╔$('═' * $w)╗" -ForegroundColor DarkCyan
-Write-Host "  ║" -NoNewline -ForegroundColor DarkCyan
-$verdictPad = $verdict.PadLeft([math]::Floor(($w + $verdict.Length) / 2)).PadRight($w)
-Write-Host $verdictPad -NoNewline -ForegroundColor $verdictColor
-Write-Host "║" -ForegroundColor DarkCyan
-Write-Host "  ╠$('═' * $w)╣" -ForegroundColor DarkCyan
-
-function Write-SummaryLine { param($Label, $Value, $Color, $Width)
-    $content = "$Label$Value"
-    $innerWidth = $Width - 4
-    $padded = $content.PadRight($innerWidth)
-    Write-Host "  ║  " -NoNewline -ForegroundColor DarkCyan
-    Write-Host $Label -NoNewline -ForegroundColor DarkGray
-    Write-Host $Value -NoNewline -ForegroundColor $Color
-    $remaining = $innerWidth - $content.Length
-    if ($remaining -gt 0) { Write-Host (' ' * $remaining) -NoNewline }
-    Write-Host "  ║" -ForegroundColor DarkCyan
-}
 
-Write-SummaryLine "CRITICAL  " "$critCount" $(if ($critCount -gt 0) { "Red" } else { "Green" }) $w
-Write-SummaryLine "WARNING   " "$warnCount" $(if ($warnCount -gt 0) { "Yellow" } else { "Green" }) $w
-Write-SummaryLine "INFO      " "$infoCount" "DarkCyan" $w
-Write-Host "  ║$(' ' * $w)║" -ForegroundColor DarkCyan
+if ($script:NonInteractive) {
+    # ASCII-only box for CI/agent environments (avoids encoding issues in piped output)
+    $hbar = '=' * ($w + 2)
+    Write-Host "  +$hbar+"
+    $verdictPad = $verdict.PadLeft([math]::Floor(($w + 2 + $verdict.Length) / 2)).PadRight($w + 2)
+    Write-Host "  |$verdictPad|"
+    Write-Host "  +$hbar+"
+
+    function Write-SummaryLine { param($Label, $Value, $Color, $Width)
+        $content = "  $Label$Value"
+        $innerWidth = $Width - 2
+        $line = "  | $Label$Value".PadRight($Width + 3) + " |"
+        Write-Host $line
+    }
 
-Write-SummaryLine "Total     " "$totalCount findings" "White" $w
-Write-SummaryLine "Duration  " "$durationStr" "DarkGray" $w
-Write-Host "  ║$(' ' * $w)║" -ForegroundColor DarkCyan
-Write-SummaryLine "Report    " "See path below" "DarkGray" $w
+    Write-SummaryLine "CRITICAL  " "$critCount" "Red" $w
+    Write-SummaryLine "WARNING   " "$warnCount" "Yellow" $w
+    Write-SummaryLine "INFO      " "$infoCount" "DarkCyan" $w
+    Write-Host "  |  $(' ' * ($w - 2))  |"
+    Write-SummaryLine "Total     " "$totalCount findings" "White" $w
+    Write-SummaryLine "Duration  " "$durationStr" "DarkGray" $w
+    Write-Host "  |  $(' ' * ($w - 2))  |"
+    Write-SummaryLine "Report    " "See path below" "DarkGray" $w
+    Write-Host "  +$hbar+"
+} else {
+    Write-Host "  ╔$('═' * $w)╗" -ForegroundColor DarkCyan
+    Write-Host "  ║" -NoNewline -ForegroundColor DarkCyan
+    $verdictPad = $verdict.PadLeft([math]::Floor(($w + $verdict.Length) / 2)).PadRight($w)
+    Write-Host $verdictPad -NoNewline -ForegroundColor $verdictColor
+    Write-Host "║" -ForegroundColor DarkCyan
+    Write-Host "  ╠$('═' * $w)╣" -ForegroundColor DarkCyan
+
+    function Write-SummaryLine { param($Label, $Value, $Color, $Width)
+        $content = "$Label$Value"
+        $innerWidth = $Width - 4
+        Write-Host "  ║  " -NoNewline -ForegroundColor DarkCyan
+        Write-Host $Label -NoNewline -ForegroundColor DarkGray
+        Write-Host $Value -NoNewline -ForegroundColor $Color
+        $remaining = $innerWidth - $content.Length
+        if ($remaining -gt 0) { Write-Host (' ' * $remaining) -NoNewline }
+        Write-Host "  ║" -ForegroundColor DarkCyan
+    }
+
+    Write-SummaryLine "CRITICAL  " "$critCount" $(if ($critCount -gt 0) { "Red" } else { "Green" }) $w
+    Write-SummaryLine "WARNING   " "$warnCount" $(if ($warnCount -gt 0) { "Yellow" } else { "Green" }) $w
+    Write-SummaryLine "INFO      " "$infoCount" "DarkCyan" $w
+    Write-Host "  ║$(' ' * $w)║" -ForegroundColor DarkCyan
+    Write-SummaryLine "Total     " "$totalCount findings" "White" $w
+    Write-SummaryLine "Duration  " "$durationStr" "DarkGray" $w
+    Write-Host "  ║$(' ' * $w)║" -ForegroundColor DarkCyan
+    Write-SummaryLine "Report    " "See path below" "DarkGray" $w
+    Write-Host "  ╚$('═' * $w)╝" -ForegroundColor DarkCyan
+}
 
-Write-Host "  ╚$('═' * $w)╝" -ForegroundColor DarkCyan
 Write-Host ""
 
 if ($critCount -gt 0) {
-    Write-Host "  ██ CRITICAL findings detected. Review the report immediately." -ForegroundColor Red
+    Write-Host "  !! CRITICAL findings detected. Review the report immediately." -ForegroundColor Red
 } elseif ($warnCount -eq 0 -and $critCount -eq 0) {
     Write-Host "  [+] No threats detected. System appears clean." -ForegroundColor Green
 }

CHANGELOG.md

@@ -4,6 +4,20 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [0.4.3] - 2026-03-15
+
+### Added
+- **AMSI registry checks** -- detects `AmsiEnable=0` (CRITICAL, T1562.001) and missing PowerShell Script Block Logging (INFO, T1562.002)
+- **PS.Security preflight** -- detects when `Get-AuthenticodeSignature` is unavailable and emits a WARNING at scan startup listing affected checks
+- **`-SkipModules Baseline`** -- baseline comparison is now skippable, enabling faster targeted scans without baseline drift noise
+- **ASCII verdict box in CI mode** -- non-interactive output uses `+==+|` instead of Unicode box-drawing, preventing encoding issues in piped/agent output
+- **Pre-commit hook** -- `.githooks/pre-commit` rejects commits with `.ps1` files missing UTF-8 BOM
+
+### Fixed
+- **Unsigned process false positives** -- `Check-Processes.ps1` now uses `TrustedAppDirs` from config to skip processes in trusted directories (e.g. Git for Windows)
+- **Ephemeral port baseline noise** -- ports in the Windows dynamic range (49152-65535) are excluded from baseline diffs
+- Added `Git\usr\bin` to `TrustedAppDirs` in `config.example.json`
+
 ## [0.4.2] - 2026-03-15
 
 ### Fixed

CLAUDE.md

@@ -83,7 +83,7 @@ Copied from `config/config.example.json`. Controls:
 
 ### Baseline System
 
-`-CreateBaseline` snapshots ports, services, accounts, Run keys, scheduled tasks, and Defender exclusions to JSON. Baselines are **never auto-overwritten** — this is intentional to prevent a compromised system from poisoning its own baseline.
+`-CreateBaseline` snapshots ports, services, accounts, Run keys, scheduled tasks, and Defender exclusions to JSON. Baselines are **never auto-overwritten** — this is intentional to prevent a compromised system from poisoning its own baseline. Baseline comparison can be skipped with `-SkipModules Baseline`. Ephemeral ports (49152-65535) are excluded from baseline diffs.
 
 ### Redaction System
 
@@ -102,7 +102,7 @@ Individual modules do not need to handle redaction.
 
 `-CIMode` makes the tool usable by AI terminal agents and CI pipelines:
 
-- Suppresses ASCII banner (plain-text header instead) and browser auto-open
+- Suppresses ASCII banner (plain-text header instead), uses ASCII-only verdict box, and suppresses browser auto-open
 - Auto-enables `-Redact` so operator identity is never leaked
 - Prints a JSON summary to stdout after all output, delimited by `---AMIHACKED-SUMMARY-JSON---`
 - Exits with structured code: 0 = clean, 1 = warnings, 2 = critical

CONTRIBUTING.md

@@ -96,12 +96,22 @@ Edit `config/config.example.json` to add (or `config/config.json` locally):
 
 ## Code Style
 
-- All `.ps1` files must use **UTF-8 BOM** encoding (PowerShell 5.1 reads files as Windows-1252 without it, breaking non-ASCII characters)
+- All `.ps1` files must use **UTF-8 BOM** encoding (PowerShell 5.1 reads files as Windows-1252 without it, breaking non-ASCII characters). Run `fix-bom.ps1` after any edit to re-apply the BOM (most editors and the Claude Code Edit tool strip it on save).
 - PowerShell verb-noun naming for functions
 - Consistent indentation (4 spaces)
 - Section headers with `# ── N. Section Name ──...` pattern
 - Status messages via `Write-Status`, not `Write-Host`
 
+### Git hooks (BOM enforcement)
+
+A pre-commit hook rejects commits that include `.ps1` files without a UTF-8 BOM. Activate it once per clone:
+
+```sh
+git config core.hooksPath .githooks
+```
+
+If the hook blocks your commit, run `fix-bom.ps1`, re-stage, and commit again.
+
 ## Submitting a PR
 
 1. Fork the repo and create a feature branch

README.md

@@ -12,7 +12,7 @@
 [![PowerShell 5.1+](https://img.shields.io/badge/PowerShell-5.1%2B-0d1117?style=for-the-badge&logo=powershell&logoColor=5391FE)](https://docs.microsoft.com/powershell/)
 [![Windows 10/11](https://img.shields.io/badge/Windows-10%20%2F%2011-0d1117?style=for-the-badge&logo=windows&logoColor=white)](https://www.microsoft.com/windows)
 [![License: MIT](https://img.shields.io/badge/License-MIT-0d1117?style=for-the-badge&logoColor=white)](LICENSE)
-[![Version](https://img.shields.io/badge/Version-0.4.2-FF6B6B?style=for-the-badge)](#changelog)
+[![Version](https://img.shields.io/badge/Version-0.4.3-FF6B6B?style=for-the-badge)](#changelog)
 
 [![Zero Dependencies](https://img.shields.io/badge/Dependencies-Zero-0d1117?style=flat-square&labelColor=0d1117)](#)
 [![MITRE ATT&CK](https://img.shields.io/badge/MITRE%20ATT%26CK-40%2B%20Techniques-ff3333?style=flat-square&labelColor=0d1117)](#mitre-attck-coverage)
@@ -111,7 +111,7 @@ Baselines enable **change detection** — the most powerful signal for catching
 | Parameter | Description |
 |-----------|-------------|
 | `-OutputPath` | Report output directory (default: `.\reports`) |
-| `-SkipModules` | Module names to skip (e.g. `Network,Accounts`) |
+| `-SkipModules` | Module names to skip (e.g. `Network,Accounts,Baseline`) |
 | `-ConfigPath` | Path to `config.json` (default: `.\config\config.json`) |
 | `-Offline` | Disable all external API calls |
 | `-BaselinePath` | Path to a specific baseline JSON |
@@ -140,7 +140,7 @@ Baselines enable **change detection** — the most powerful signal for catching
 
 ```
 ---AMIHACKED-SUMMARY-JSON---
-{"verdict":"CAUTION","critical":0,"warning":3,"info":12,"total":15,"duration":28.4,"reportPath":"...","version":"0.4.2"}
+{"verdict":"CAUTION","critical":0,"warning":3,"info":12,"total":15,"duration":28.4,"reportPath":"...","version":"0.4.3"}
 ```
 
 - Exit code reflects findings: **0** = clean, **1** = warnings only, **2** = critical findings detected

config/config.example.json

@@ -66,7 +66,8 @@
     "1Password", "Bitwarden", "Proton", "node_modules",
     "OneDrive", "WindowsApps", "WinGet", "squirrel.windows",
     "Plutonium", "cursor", "Claude", "Amazon Games",
-    "NuGet", "npm", "pip", "cargo"
+    "NuGet", "npm", "pip", "cargo",
+    "Git\\usr\\bin"
   ],
   "TrustedDomainSuffixes": [
     ".microsoft.com", ".windowsupdate.com", ".akamaized.net",

lib/Helpers.ps1

@@ -547,7 +547,7 @@ function Compare-Baseline {
         $currentPorts = Get-NetTCPConnection -State Listen -ErrorAction SilentlyContinue |
             ForEach-Object { $_.LocalPort } | Sort-Object -Unique
         $oldPorts = $old.ListeningPorts | ForEach-Object { $_.Port } | Sort-Object -Unique
-        $newPorts = $currentPorts | Where-Object { $_ -notin $oldPorts }
+        $newPorts = $currentPorts | Where-Object { $_ -notin $oldPorts -and $_ -lt 49152 }  # skip ephemeral range
         foreach ($port in $newPorts) {
             Add-Finding -Severity "WARNING" -Category "Baseline" `
                 -Title "New Listening Port: $port" `

modules/Check-DefenseEvasion.ps1

@@ -89,6 +89,30 @@ function Invoke-DefenseEvasionChecks {
         }
     } catch {}
 
+    try {
+        $amsiEnable = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows Script\Settings" -Name "AmsiEnable" -ErrorAction SilentlyContinue
+        if ($amsiEnable -and $amsiEnable.AmsiEnable -eq 0) {
+            Add-Finding -Severity "CRITICAL" -Category "DefenseEvasion" `
+                -Title "AMSI Explicitly Disabled via Registry" `
+                -Description "HKLM:\SOFTWARE\Microsoft\Windows Script\Settings!AmsiEnable is set to 0. This explicitly disables AMSI for Windows Script Host (VBScript, JScript), allowing malicious scripts to run without AV scanning." `
+                -Remediation "Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Script\Settings' -Name 'AmsiEnable'" `
+                -Details @{ Key = "HKLM:\SOFTWARE\Microsoft\Windows Script\Settings\AmsiEnable"; Value = 0 } `
+                -MITRE @("T1562.001")
+        }
+    } catch {}
+
+    try {
+        $sbl = Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -ErrorAction SilentlyContinue
+        if (-not $sbl -or -not $sbl.EnableScriptBlockLogging -or $sbl.EnableScriptBlockLogging -eq 0) {
+            Add-Finding -Severity "INFO" -Category "DefenseEvasion" `
+                -Title "PowerShell Script Block Logging Not Enabled" `
+                -Description "Script block logging is not enabled via policy. When enabled, PowerShell logs all executed script blocks to the event log (Event ID 4104), which is valuable for detecting obfuscated or malicious scripts." `
+                -Remediation "Set-ItemProperty 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' -Name EnableScriptBlockLogging -Value 1" `
+                -Details @{ Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging"; Value = "absent or 0" } `
+                -MITRE @("T1562.002")
+        }
+    } catch {}
+
     # ── 3. Windows Defender Real-Time Protection ─────────────────────────
 
     Write-Status "Checking Defender real-time protection..."

modules/Check-Processes.ps1

@@ -30,6 +30,13 @@ function Invoke-ProcessesChecks {
         if (-not $procPath) { continue }
         if ($procPath -match "^C:\\Windows\\System32" -and $whitelist -contains $procName) { continue }
         if ($procPath -match '^C:\\Program Files\\WindowsApps\\') { continue }
+        if ($script:Config.TrustedAppDirs) {
+            $inTrustedDir = $false
+            foreach ($dir in $script:Config.TrustedAppDirs) {
+                if ($procPath -like "*$dir*") { $inTrustedDir = $true; break }
+            }
+            if ($inTrustedDir) { continue }
+        }
 
         $pathKey = "$($proc.Name)|$procPath"
         if ($seenProcessPaths.ContainsKey($pathKey)) {