WinRM/SSH detection, config sync, report hardening, test coverage (v0.4.9)

- Add WinRM (5985/5986) and SSH (22) listener detection in Check-Network
- Sync TrustedCompanies in Get-DefaultConfig with config.example.json
- Use System.Net.WebUtility.HtmlEncode for report detail escaping
- Document score formula weights in ReportGenerator
- Add Network and DefenseEvasion Assert-FindingCount in test harness

Made-with: Cursor

Author: TMHSDigital

AmIHacked.ps1

@@ -80,7 +80,7 @@ if ($script:NonInteractive) {
 $script:RedactMap = @{}
 $script:SuppressedCount = 0
 
-$script:Version = "0.4.8"
+$script:Version = "0.4.9"
 
 # ── Helpers (loaded first) ───────────────────────────────────────────────────
 

CHANGELOG.md

@@ -4,6 +4,18 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [0.4.9] - 2026-03-15
+
+### Added
+- **WinRM listener detection** -- flags ports 5985/5986 if not in TrustedPorts (WARNING, T1021.006)
+- **SSH listener detection** -- flags port 22 if not in TrustedPorts (INFO, T1021.004)
+- **Test assertions** -- `Assert-FindingCount` for Network and DefenseEvasion modules
+
+### Fixed
+- **TrustedCompanies config drift** -- `Get-DefaultConfig` expanded from 9 to 38 entries, synced with `config.example.json`
+- **Report HTML injection hardening** -- finding details now use `[System.Net.WebUtility]::HtmlEncode()` instead of manual `<`/`>` replacement
+- **Score formula documented** -- added comment explaining penalty weights and cap behavior
+
 ## [0.4.8] - 2026-03-15
 
 ### Added

README.md

@@ -12,7 +12,7 @@
 [![PowerShell 5.1+](https://img.shields.io/badge/PowerShell-5.1%2B-0d1117?style=for-the-badge&logo=powershell&logoColor=5391FE)](https://docs.microsoft.com/powershell/)
 [![Windows 10/11](https://img.shields.io/badge/Windows-10%20%2F%2011-0d1117?style=for-the-badge&logo=windows&logoColor=white)](https://www.microsoft.com/windows)
 [![License: MIT](https://img.shields.io/badge/License-MIT-0d1117?style=for-the-badge&logoColor=white)](LICENSE)
-[![Version](https://img.shields.io/badge/Version-0.4.8-FF6B6B?style=for-the-badge)](#changelog)
+[![Version](https://img.shields.io/badge/Version-0.4.9-FF6B6B?style=for-the-badge)](#changelog)
 
 [![Zero Dependencies](https://img.shields.io/badge/Dependencies-Zero-0d1117?style=flat-square&labelColor=0d1117)](#)
 [![MITRE ATT&CK](https://img.shields.io/badge/MITRE%20ATT%26CK-40%2B%20Techniques-ff3333?style=flat-square&labelColor=0d1117)](#mitre-attck-coverage)
@@ -140,7 +140,7 @@ Baselines enable **change detection** — the most powerful signal for catching
 
 ```
 ---AMIHACKED-SUMMARY-JSON---
-{"verdict":"CAUTION","critical":0,"warning":3,"info":12,"suppressed":0,"total":15,"duration":28.4,"reportPath":"...","version":"0.4.8"}
+{"verdict":"CAUTION","critical":0,"warning":3,"info":12,"suppressed":0,"total":15,"duration":28.4,"reportPath":"...","version":"0.4.9"}
 ```
 
 - Exit code reflects findings: **0** = clean, **1** = warnings only, **2** = critical findings detected

lib/Helpers.ps1

@@ -281,7 +281,18 @@ function Get-DefaultConfig {
         TrustedCompanies = @(
             "Microsoft Corporation", "Google LLC", "Slack Technologies",
             "Spotify AB", "Discord Inc.", "Mozilla Corporation",
-            "Apple Inc.", "Adobe Inc.", "Valve Corporation"
+            "Apple Inc.", "Adobe Inc.", "Valve Corporation",
+            "GitHub, Inc.", "GitHub", "Node.js Foundation", "OpenJS Foundation",
+            "Rockstar Games", "Cfx.re", "Python Software Foundation",
+            "NVIDIA Corporation", "Intel Corporation", "Samsung Electronics",
+            "Amazon.com Services LLC", "Amazon Web Services",
+            "Proton AG", "Notion Labs, Inc.", "LM Studio", "Anthropic",
+            "JetBrains s.r.o.", "Docker Inc", "Canonical Ltd.",
+            "Postman Inc.", "Activision Publishing", "Blizzard Entertainment",
+            "Electronic Arts", "Epic Games", "Ubisoft",
+            "Dropbox, Inc.", "Zoom Video Communications, Inc.",
+            "1Password", "AgileBits Inc.", "Bitwarden Inc.",
+            "The Chromium Authors", "The Electron Authors"
         )
 
         TrustedAppDirs = @()

lib/ReportGenerator.ps1

@@ -18,6 +18,7 @@ function Generate-HtmlReport {
     $infoCount = ($Findings | Where-Object { $_.Severity -eq "INFO" }).Count
     $totalCount = $Findings.Count
 
+    # Score weights: CRITICAL=-25, WARNING=-5, INFO=-0.5; result clamped to [0,100] (4+ criticals always score 0)
     $penalty = ($critCount * 25) + ($warnCount * 5) + ($infoCount * 0.5)
     $score = [math]::Max(0, [math]::Min(100, [math]::Round(100 - $penalty)))
     $scoreColor = if ($score -ge 80) { "#22c55e" } elseif ($score -ge 50) { "#f59e0b" } else { "#ef4444" }
@@ -110,7 +111,7 @@ function Generate-HtmlReport {
                 $detailsHtml = @"
                 <div class="finding-details">
                     <button class="details-toggle" onclick="toggleDetails(this)">Show Technical Details</button>
-                    <pre class="details-content" style="display:none;">$($finding.Details | ConvertTo-Json -Depth 3 | ForEach-Object { $_ -replace '<','&lt;' -replace '>','&gt;' })</pre>
+                    <pre class="details-content" style="display:none;">$([System.Net.WebUtility]::HtmlEncode(($finding.Details | ConvertTo-Json -Depth 3)))</pre>
                 </div>
 "@
             }

modules/Check-Network.ps1

@@ -205,6 +205,34 @@ function Invoke-NetworkChecks {
             -MITRE @("T1571")
     }
 
+    # WinRM and SSH listeners — always check regardless of commonListenPorts exclusions
+    $specialListeners = @(
+        @{ Port = 5985; Severity = "WARNING"; Title = "WinRM Listener Active: port 5985"; MITRE = "T1021.006"
+           Description = "WinRM (HTTP) is listening on port 5985. WinRM enables remote PowerShell command execution and is commonly abused by attackers for lateral movement."
+           Remediation = "If WinRM is not required, disable it: 'Disable-PSRemoting -Force'. Restrict access with firewall rules if it must remain enabled." }
+        @{ Port = 5986; Severity = "WARNING"; Title = "WinRM Listener Active: port 5986"; MITRE = "T1021.006"
+           Description = "WinRM (HTTPS) is listening on port 5986. WinRM enables remote PowerShell command execution and is commonly abused by attackers for lateral movement."
+           Remediation = "If WinRM is not required, disable it: 'Disable-PSRemoting -Force'. Restrict access with firewall rules if it must remain enabled." }
+        @{ Port = 22;   Severity = "INFO";    Title = "SSH Listener Active";             MITRE = "T1021.004"
+           Description = "An OpenSSH server is listening on port 22. SSH enables remote command execution; verify this service is intentional and that key-based authentication is enforced."
+           Remediation = "If SSH is not required, stop and disable the OpenSSH Server service. If required, ensure 'PasswordAuthentication no' is set in sshd_config and restrict access via firewall." }
+    )
+    foreach ($check in $specialListeners) {
+        if ($trustedPorts -contains $check.Port) { continue }
+        $match = $listeners | Where-Object { $_.LocalPort -eq $check.Port -and ($_.LocalAddress -eq "0.0.0.0" -or $_.LocalAddress -eq "::") }
+        if ($match) {
+            $procId = $match[0].OwningProcess
+            $proc = $procLookup[$procId]
+            $procName = if ($proc) { $proc.Name } else { "Unknown (PID: $procId)" }
+            Add-Finding -Severity $check.Severity -Category "Network" `
+                -Title $check.Title `
+                -Description "$($check.Description) Process: '$procName'." `
+                -Remediation $check.Remediation `
+                -Details @{ Port = $check.Port; Process = $procName; PID = $procId } `
+                -MITRE @($check.MITRE)
+        }
+    }
+
     # ── 4. DNS Configuration ─────────────────────────────────────────────
 
     Write-Status "Checking DNS configuration..."

tests/Invoke-MockScan.ps1

@@ -133,8 +133,10 @@ if (-not $jsonFiles) {
 
     # Category coverage: each active module should produce at least one finding
     Write-TestHeader "Module Coverage"
-    Assert-FindingCount -Findings $findings -Category "FileSystem" -MinCount 1 -TestName "FileSystem module produced findings"
-    Assert-FindingCount -Findings $findings -Category "General"    -MinCount 1 -TestName "General module produced findings"
+    Assert-FindingCount -Findings $findings -Category "FileSystem"     -MinCount 1 -TestName "FileSystem module produced findings"
+    Assert-FindingCount -Findings $findings -Category "General"        -MinCount 1 -TestName "General module produced findings"
+    Assert-FindingCount -Findings $findings -Category "Network"        -MinCount 1 -TestName "Network module produced findings"
+    Assert-FindingCount -Findings $findings -Category "DefenseEvasion" -MinCount 1 -TestName "DefenseEvasion module produced findings"
 
     # Severity field is always one of the three valid values
     Write-TestHeader "Severity Field Validity"