Configurable limits, PS logging checks, report suppressed count (v0.4.8)

- Add BackdoorPorts, KnownDNSServers, AbuseIPDBMaxChecks, MaxVTLookups
  config fields; use TrustedPorts for commonPorts in Check-Network.ps1
- Add Module Logging and Transcription detection in Check-DefenseEvasion
- Show suppressed finding count in HTML report stats grid
- Document new config fields in README

Made-with: Cursor

Author: TMHSDigital

AmIHacked.ps1

@@ -80,7 +80,7 @@ if ($script:NonInteractive) {
 $script:RedactMap = @{}
 $script:SuppressedCount = 0
 
-$script:Version = "0.4.7"
+$script:Version = "0.4.8"
 
 # ── Helpers (loaded first) ───────────────────────────────────────────────────
 
@@ -284,7 +284,8 @@ Generate-HtmlReport -Findings $script:Findings `
                     -SystemInfo $script:SystemInfo `
                     -OutputFile $reportFile `
                     -Duration $duration `
-                    -Version $script:Version
+                    -Version $script:Version `
+                    -SuppressedCount $script:SuppressedCount
 
 Write-SectionEnd
 

CHANGELOG.md

@@ -4,6 +4,14 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [0.4.8] - 2026-03-15
+
+### Added
+- **Configurable network/API limits** -- `BackdoorPorts`, `KnownDNSServers`, `AbuseIPDBMaxChecks`, `MaxVTLookups` config fields with sensible defaults; `commonPorts` in Check-Network.ps1 now uses `TrustedPorts` from config
+- **Module Logging detection** -- Check-DefenseEvasion.ps1 flags when PowerShell Module Logging is not enabled (INFO, T1562.002)
+- **Transcription detection** -- Check-DefenseEvasion.ps1 flags when PowerShell Transcription is not enabled (INFO, T1562.002)
+- **Report suppressed count** -- HTML report stats grid shows a "Suppressed" card when findings have been suppressed via config
+
 ## [0.4.7] - 2026-03-15
 
 ### Added

README.md

@@ -12,7 +12,7 @@
 [![PowerShell 5.1+](https://img.shields.io/badge/PowerShell-5.1%2B-0d1117?style=for-the-badge&logo=powershell&logoColor=5391FE)](https://docs.microsoft.com/powershell/)
 [![Windows 10/11](https://img.shields.io/badge/Windows-10%20%2F%2011-0d1117?style=for-the-badge&logo=windows&logoColor=white)](https://www.microsoft.com/windows)
 [![License: MIT](https://img.shields.io/badge/License-MIT-0d1117?style=for-the-badge&logoColor=white)](LICENSE)
-[![Version](https://img.shields.io/badge/Version-0.4.7-FF6B6B?style=for-the-badge)](#changelog)
+[![Version](https://img.shields.io/badge/Version-0.4.8-FF6B6B?style=for-the-badge)](#changelog)
 
 [![Zero Dependencies](https://img.shields.io/badge/Dependencies-Zero-0d1117?style=flat-square&labelColor=0d1117)](#)
 [![MITRE ATT&CK](https://img.shields.io/badge/MITRE%20ATT%26CK-40%2B%20Techniques-ff3333?style=flat-square&labelColor=0d1117)](#mitre-attck-coverage)
@@ -140,7 +140,7 @@ Baselines enable **change detection** — the most powerful signal for catching
 
 ```
 ---AMIHACKED-SUMMARY-JSON---
-{"verdict":"CAUTION","critical":0,"warning":3,"info":12,"suppressed":0,"total":15,"duration":28.4,"reportPath":"...","version":"0.4.7"}
+{"verdict":"CAUTION","critical":0,"warning":3,"info":12,"suppressed":0,"total":15,"duration":28.4,"reportPath":"...","version":"0.4.8"}
 ```
 
 - Exit code reflects findings: **0** = clean, **1** = warnings only, **2** = critical findings detected
@@ -242,6 +242,10 @@ Then edit `config/config.json` (gitignored — API keys stay local):
 | `SuspiciousTempExtensions` | `string[]` | Extensions flagged in temp directories |
 | `TrustedAppDirs` | `string[]` | App directory names to skip during temp-dir scanning |
 | `Suppressions` | `object[]` | Findings to silence permanently. Each entry has a `pattern` (wildcard, matched against Title) and optional `reason` |
+| `BackdoorPorts` | `int[]` | Ports that trigger CRITICAL instead of WARNING on listeners |
+| `KnownDNSServers` | `string[]` | DNS servers considered legitimate (Google, Cloudflare, etc.) |
+| `AbuseIPDBMaxChecks` | `int` | Max IPs to check against AbuseIPDB per scan (default: 30) |
+| `MaxVTLookups` | `int` | Max file hashes to check against VirusTotal per scan (default: 4) |
 | `AccountMaxAgeDays` | `int` | Flag accounts created within N days |
 | `FileSystemMaxAgeDays` | `int` | Flag recently modified system executables |
 | `MaxEventLogEntries` | `int` | Max events to scan per log |

config/config.example.json

@@ -74,6 +74,10 @@
     ".cloudfront.net", ".slack-msgs.com", ".googleapis.com",
     ".gstatic.com", ".steamcontent.com"
   ],
+  "BackdoorPorts": [4444, 5555, 6666, 1234, 31337, 12345, 54321, 9999, 1337],
+  "KnownDNSServers": ["8.8.8.8","8.8.4.4","1.1.1.1","1.0.0.1","9.9.9.9","149.112.112.112","208.67.222.222","208.67.220.220","76.76.2.0","76.76.10.0"],
+  "AbuseIPDBMaxChecks": 30,
+  "MaxVTLookups": 4,
   "Suppressions": [
     { "pattern": "New Listening Port: 6463", "reason": "Discord RPC — expected on this machine" },
     { "pattern": "Unquoted Service Path*", "reason": "Vendor bug, not exploitable — no write access to intermediate paths" }

lib/Helpers.ps1

@@ -292,6 +292,20 @@ function Get-DefaultConfig {
             ".gstatic.com", ".steamcontent.com"
         )
 
+        BackdoorPorts = @(4444, 5555, 6666, 1234, 31337, 12345, 54321, 9999, 1337)
+
+        KnownDNSServers = @(
+            "8.8.8.8", "8.8.4.4",
+            "1.1.1.1", "1.0.0.1",
+            "9.9.9.9", "149.112.112.112",
+            "208.67.222.222", "208.67.220.220",
+            "76.76.2.0", "76.76.10.0"
+        )
+
+        AbuseIPDBMaxChecks = 30
+
+        MaxVTLookups = 4
+
         Suppressions = @()
     }
 }

lib/ReportGenerator.ps1

@@ -9,7 +9,8 @@ function Generate-HtmlReport {
         [hashtable]$SystemInfo,
         [string]$OutputFile,
         [timespan]$Duration,
-        [string]$Version
+        [string]$Version,
+        [int]$SuppressedCount = 0
     )
 
     $critCount = ($Findings | Where-Object { $_.Severity -eq "CRITICAL" }).Count
@@ -385,6 +386,7 @@ function Generate-HtmlReport {
         .stat-warning .stat-value { color: var(--warning); }
         .stat-info .stat-value { color: var(--info); }
         .stat-total .stat-value { color: var(--text-primary); }
+        .stat-suppressed .stat-value { color: var(--text-secondary); }
 
         /* -- System Info -- */
         .system-info {
@@ -731,6 +733,7 @@ function Generate-HtmlReport {
                 <div class="stat-value">${totalCount}</div>
                 <div class="stat-label">Total Findings</div>
             </div>
+            $(if ($SuppressedCount -gt 0) { "<div class=`"stat-card stat-suppressed`"><div class=`"stat-value`">$SuppressedCount</div><div class=`"stat-label`">Suppressed</div></div>" })
         </div>
 
         <div class="system-info">

modules/Check-DefenseEvasion.ps1

@@ -121,6 +121,34 @@ function Invoke-DefenseEvasionChecks {
         Write-Verbose "Could not check ScriptBlockLogging policy: $_"
     }
 
+    try {
+        $ml = Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -ErrorAction SilentlyContinue
+        if (-not $ml -or -not $ml.EnableModuleLogging -or $ml.EnableModuleLogging -eq 0) {
+            Add-Finding -Severity "INFO" -Category "DefenseEvasion" `
+                -Title "PowerShell Module Logging Not Enabled" `
+                -Description "Module logging is not enabled via policy. When enabled, PowerShell logs pipeline execution details to the event log (Event ID 4103), helping detect malicious module usage." `
+                -Remediation "Set-ItemProperty 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging' -Name EnableModuleLogging -Value 1" `
+                -Details @{ Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\EnableModuleLogging"; Value = "absent or 0" } `
+                -MITRE @("T1562.002")
+        }
+    } catch {
+        Write-Verbose "Could not check ModuleLogging policy: $_"
+    }
+
+    try {
+        $transcript = Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" -ErrorAction SilentlyContinue
+        if (-not $transcript -or -not $transcript.EnableTranscripting -or $transcript.EnableTranscripting -eq 0) {
+            Add-Finding -Severity "INFO" -Category "DefenseEvasion" `
+                -Title "PowerShell Transcription Not Enabled" `
+                -Description "PowerShell transcription is not enabled via policy. When enabled, PowerShell logs all input and output to text files, providing a full audit trail of PowerShell activity on the system." `
+                -Remediation "Set-ItemProperty 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription' -Name EnableTranscripting -Value 1" `
+                -Details @{ Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription\EnableTranscripting"; Value = "absent or 0" } `
+                -MITRE @("T1562.002")
+        }
+    } catch {
+        Write-Verbose "Could not check Transcription policy: $_"
+    }
+
     # ── 3. Windows Defender Real-Time Protection ─────────────────────────
 
     Write-Status "Checking Defender real-time protection..."

modules/Check-FileSystem.ps1

@@ -199,7 +199,7 @@ function Invoke-FileSystemChecks {
         Write-Status "Checking file hashes against VirusTotal..."
 
         $checked = 0
-        $maxVT = 4
+        $maxVT = if ($script:Config.MaxVTLookups) { [int]$script:Config.MaxVTLookups } else { 4 }
 
         foreach ($file in $vtCandidates) {
             if ($checked -ge $maxVT) {

modules/Check-Network.ps1

@@ -75,8 +75,8 @@ function Invoke-NetworkChecks {
                 -MITRE @("T1071.001")
         }
 
+        $commonPorts = if ($script:Config.TrustedPorts) { $script:Config.TrustedPorts } else { @(80, 443, 8080, 8443, 993, 995, 587, 465, 53, 22) }
         foreach ($c in $connList) {
-            $commonPorts = @(80, 443, 8080, 8443, 993, 995, 587, 465, 53, 22)
             if ($c.RemotePort -notin $commonPorts -and $c.RemotePort -lt 1024) {
                 Add-Finding -Severity "WARNING" -Category "Network" `
                     -Title "Connection on Uncommon Port: $($c.Process) → ${ip}:$($c.RemotePort)" `
@@ -95,7 +95,7 @@ function Invoke-NetworkChecks {
         Write-Status "Checking external IPs against AbuseIPDB..."
 
         $checkedCount = 0
-        $maxChecks = 30
+        $maxChecks = if ($script:Config.AbuseIPDBMaxChecks) { [int]$script:Config.AbuseIPDBMaxChecks } else { 30 }
 
         foreach ($ip in $externalIPs.Keys) {
             if ($checkedCount -ge $maxChecks) {
@@ -187,7 +187,7 @@ function Invoke-NetworkChecks {
     foreach ($key in $seenListeners.Keys) {
         $entry = $seenListeners[$key]
         $severity = "WARNING"
-        $backdoorPorts = @(4444, 5555, 6666, 1234, 31337, 12345, 54321, 9999, 1337)
+        $backdoorPorts = if ($script:Config.BackdoorPorts) { $script:Config.BackdoorPorts } else { @(4444, 5555, 6666, 1234, 31337, 12345, 54321, 9999, 1337) }
         if ($entry.Port -in $backdoorPorts) { $severity = "CRITICAL" }
         $addrStr = ($entry.Addresses | Sort-Object -Unique) -join ", "
 
@@ -212,13 +212,7 @@ function Invoke-NetworkChecks {
     $adapters = Get-DnsClientServerAddress -ErrorAction SilentlyContinue |
         Where-Object { $_.ServerAddresses.Count -gt 0 }
 
-    $knownDNS = @(
-        "8.8.8.8", "8.8.4.4",
-        "1.1.1.1", "1.0.0.1",
-        "9.9.9.9", "149.112.112.112",
-        "208.67.222.222", "208.67.220.220",
-        "76.76.2.0", "76.76.10.0"
-    )
+    $knownDNS = if ($script:Config.KnownDNSServers) { $script:Config.KnownDNSServers } else { @("8.8.8.8","8.8.4.4","1.1.1.1","1.0.0.1","9.9.9.9","149.112.112.112","208.67.222.222","208.67.220.220","76.76.2.0","76.76.10.0") }
 
     $seenDns = @{}
     foreach ($adapter in $adapters) {