v0.5.0: PS profile injection, root CA detection, report improvements

TMHSDigital · TMHSDigital · commit d778a8884629 · 2026-03-15T20:10:28.000-04:00
New detections:
- PowerShell profile injection detection (T1546.013)
- Root certificate store anomaly detection (T1553.004)

Report improvements:
- Category breakdown chart (stacked bars by severity)
- Remediation click-to-copy now matches system commands (sfc, netsh, etc.)

Docs: version bump across README/SECURITY/CLAUDE.md, CHANGELOG entry
Made-with: Cursor
diff --git a/.gitignore b/.gitignore
@@ -17,3 +17,4 @@ desktop.ini
 .claude/
 *.swp
 *.swo
+claude_code_prompt.md
diff --git a/AmIHacked.ps1 b/AmIHacked.ps1
@@ -80,7 +80,7 @@ if ($script:NonInteractive) {
 $script:RedactMap = @{}
 $script:SuppressedCount = 0
 
-$script:Version = "0.4.9"
+$script:Version = "0.5.0"
 
 # ── Helpers (loaded first) ───────────────────────────────────────────────────
 
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,18 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [0.5.0] - 2026-03-16
+
+### Added
+- **PowerShell profile injection detection** -- scans all four `$PROFILE` paths for suspicious patterns (IEX, encoded commands, download cradles, etc.) and emits WARNING + T1546.013
+- **Root certificate store anomaly detection** -- compares `Cert:\LocalMachine\Root` against 46 well-known CA name fragments; flags unknown root CAs as WARNING + T1553.004 (catches rogue MITM certs)
+- **Category breakdown chart in HTML report** -- stacked horizontal bar chart showing finding counts per module/category, placed between the stats grid and system info
+- **Improved remediation click-to-copy** -- regex now also matches system commands (`sfc`, `netsh`, `reg`, `certutil`, `dism`, etc.) and the `Import-` verb prefix
+
+### Changed
+- Version bumped to 0.5.0
+- SECURITY.md updated to mark 0.5.x as supported, 0.3.x as unsupported
+
 ## [0.4.9] - 2026-03-15
 
 ### Added
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -134,7 +134,17 @@ $summary = $jsonLine | ConvertFrom-Json
 | `Check-Network.ps1` | External connections, reverse-DNS, AbuseIPDB lookups, firewall rules |
 | `Check-Accounts.ps1` | Hidden/new accounts, brute-force indicators, RDP history, LSA protection |
 | `Check-FileSystem.ps1` | Modified system binaries, temp-dir executables, VirusTotal lookups, ADS, 8 persistence mechanisms |
-| `Check-DefenseEvasion.ps1` | Cleared event logs, AMSI tampering, Defender status, ETW tampering |
+| `Check-DefenseEvasion.ps1` | Cleared event logs, AMSI tampering, Defender status, ETW tampering, PS profile injection, root CA anomalies |
+
+## Prompt Handoff (Cursor ↔ Claude Code)
+
+`claude_code_prompt.md` (gitignored) is the shared prompt file. Cursor writes implementation prompts to it; Claude Code reads and executes them via:
+
+```
+Read claude_code_prompt.md and follow all instructions in it.
+```
+
+The file is overwritten for each new prompt. Claude Code prompts must **not** change versioning, documentation, or changelog -- Cursor handles those after reviewing the diff.
 
 ## Code Conventions
 
diff --git a/README.md b/README.md
@@ -12,7 +12,7 @@
 [![PowerShell 5.1+](https://img.shields.io/badge/PowerShell-5.1%2B-0d1117?style=for-the-badge&logo=powershell&logoColor=5391FE)](https://docs.microsoft.com/powershell/)
 [![Windows 10/11](https://img.shields.io/badge/Windows-10%20%2F%2011-0d1117?style=for-the-badge&logo=windows&logoColor=white)](https://www.microsoft.com/windows)
 [![License: MIT](https://img.shields.io/badge/License-MIT-0d1117?style=for-the-badge&logoColor=white)](LICENSE)
-[![Version](https://img.shields.io/badge/Version-0.4.9-FF6B6B?style=for-the-badge)](#changelog)
+[![Version](https://img.shields.io/badge/Version-0.5.0-FF6B6B?style=for-the-badge)](#changelog)
 
 [![Zero Dependencies](https://img.shields.io/badge/Dependencies-Zero-0d1117?style=flat-square&labelColor=0d1117)](#)
 [![MITRE ATT&CK](https://img.shields.io/badge/MITRE%20ATT%26CK-40%2B%20Techniques-ff3333?style=flat-square&labelColor=0d1117)](#mitre-attck-coverage)
@@ -140,7 +140,7 @@ Baselines enable **change detection** — the most powerful signal for catching
 
 ```
 ---AMIHACKED-SUMMARY-JSON---
-{"verdict":"CAUTION","critical":0,"warning":3,"info":12,"suppressed":0,"total":15,"duration":28.4,"reportPath":"...","version":"0.4.9"}
+{"verdict":"CAUTION","critical":0,"warning":3,"info":12,"suppressed":0,"total":15,"duration":28.4,"reportPath":"...","version":"0.5.0"}
 ```
 
 - Exit code reflects findings: **0** = clean, **1** = warnings only, **2** = critical findings detected
@@ -170,7 +170,7 @@ Non-interactive environments (e.g. piped through `powershell.exe -NonInteractive
 </tr>
 <tr>
 <td><strong>Defense Evasion</strong></td>
-<td>Cleared event logs, AMSI tampering, Defender real-time protection & tamper protection, ETW autologger tampering, DisableAntiSpyware policy</td>
+<td>Cleared event logs, AMSI tampering, Defender real-time protection & tamper protection, ETW autologger tampering, DisableAntiSpyware policy, PowerShell profile injection, root certificate store anomalies</td>
 </tr>
 </table>
 
@@ -268,7 +268,7 @@ Every finding is tagged with technique IDs from the [MITRE ATT&CK](https://attac
 | **Execution** | T1059.001, T1204.002 |
 | **Persistence** | T1053.005, T1136.001, T1197, T1543.003, T1546.003, T1546.010, T1546.012, T1546.015, T1547.001, T1547.004 |
 | **Privilege Escalation** | T1574.001, T1574.009 |
-| **Defense Evasion** | T1036.001, T1036.005, T1070.001, T1562.001, T1562.002, T1562.004, T1564, T1564.002, T1564.004 |
+| **Defense Evasion** | T1036.001, T1036.005, T1070.001, T1546.013, T1553.004, T1562.001, T1562.002, T1562.004, T1564, T1564.002, T1564.004 |
 | **Credential Access** | T1003.001, T1003.002, T1003.003, T1110, T1110.001, T1555, T1555.003 |
 | **Discovery** | T1078.003 |
 | **Lateral Movement** | T1021.001 |
diff --git a/SECURITY.md b/SECURITY.md
@@ -4,8 +4,9 @@
 
 | Version | Supported |
 |---------|-----------|
+| 0.5.x   | Yes       |
 | 0.4.x   | Yes       |
-| 0.3.x   | Yes       |
+| 0.3.x   | No        |
 | < 0.3   | No        |
 
 ## Scope
diff --git a/_commit_msg.txt b/_commit_msg.txt
@@ -0,0 +1,11 @@
+v0.5.0: PS profile injection, root CA detection, report improvements
+
+New detections:
+- PowerShell profile injection detection (T1546.013)
+- Root certificate store anomaly detection (T1553.004)
+
+Report improvements:
+- Category breakdown chart (stacked bars by severity)
+- Remediation click-to-copy now matches system commands (sfc, netsh, etc.)
+
+Docs: version bump across README/SECURITY/CLAUDE.md, CHANGELOG entry
diff --git a/lib/ReportGenerator.ps1 b/lib/ReportGenerator.ps1
@@ -119,7 +119,11 @@ function Generate-HtmlReport {
             $remediationHtml = ""
             if ($finding.Remediation) {
                 $escapedRemediation = $finding.Remediation -replace '<','&lt;' -replace '>','&gt;'
-                $remediationWithCopy = $escapedRemediation -replace '((?:Remove-|Set-|Disable-|Enable-|Get-|Stop-|Start-|Update-|New-|Add-|Unregister-)[A-Za-z\-]+(?:\s+[^\r\n]*?)?)(?=\s*$|\.)', '<code class="ps-cmd" onclick="copyCmd(this)">$1</code>'
+                $remediationWithCopy = $escapedRemediation -replace '(?:^|(?<=\s))((Remove-|Set-|Disable-|Enable-|Get-|Stop-|Start-|Update-|New-|Add-|Unregister-|Import-)[A-Za-z\-]+(?:\s+[^\r\n]*?)?)(?=\s*$|\.(?:\s|$))', '<code class="ps-cmd" onclick="copyCmd(this)">$1</code>'
+                $sysPattern = @'
+(?:^|(?<=[\s'"]))((sfc|netsh|reg|certutil|bitsadmin|wevtutil|bcdedit|sc|icacls|takeown|dism)\s+[^\r\n.]*?)(?=\s*$|\.(?:\s|$))
+'@
+                $remediationWithCopy = $remediationWithCopy -replace $sysPattern, '<code class="ps-cmd" onclick="copyCmd(this)">$1</code>'
                 $remediationHtml = "<div class='finding-remediation'><span class='remediation-label'>Remediation:</span> $remediationWithCopy</div>"
             }
 
@@ -148,6 +152,39 @@ function Generate-HtmlReport {
 "@
     }
 
+    $categoryChartHtml = ""
+    if ($categories.Count -gt 0) {
+        $maxCatCount = ($categories | ForEach-Object { $_.Count } | Measure-Object -Maximum).Maximum
+        $chartRows = ""
+        foreach ($cat in $categories) {
+            $catCritC  = ($cat.Group | Where-Object { $_.Severity -eq "CRITICAL" }).Count
+            $catWarnC  = ($cat.Group | Where-Object { $_.Severity -eq "WARNING"  }).Count
+            $catInfoC  = ($cat.Group | Where-Object { $_.Severity -eq "INFO"     }).Count
+            $catTotalC = $cat.Count
+
+            $catChartName = switch ($cat.Name) {
+                "Process"        { "Process &amp; Service Analysis" }
+                "Network"        { "Network Indicators" }
+                "Account"        { "Account &amp; Authentication" }
+                "FileSystem"     { "File System Red Flags" }
+                "DefenseEvasion" { "Defense Evasion &amp; Anti-Forensics" }
+                "Baseline"       { "Baseline Comparison" }
+                default          { $cat.Name }
+            }
+
+            $critPct = if ($maxCatCount -gt 0) { [math]::Round(($catCritC / $maxCatCount) * 100, 1) } else { 0 }
+            $warnPct = if ($maxCatCount -gt 0) { [math]::Round(($catWarnC / $maxCatCount) * 100, 1) } else { 0 }
+            $infoPct = if ($maxCatCount -gt 0) { [math]::Round(($catInfoC / $maxCatCount) * 100, 1) } else { 0 }
+
+            $critSeg = if ($catCritC -gt 0) { "<div class='chart-bar-segment' style='width:${critPct}%;background:var(--critical)'></div>" } else { "" }
+            $warnSeg = if ($catWarnC -gt 0) { "<div class='chart-bar-segment' style='width:${warnPct}%;background:var(--warning)'></div>" } else { "" }
+            $infoSeg = if ($catInfoC -gt 0) { "<div class='chart-bar-segment' style='width:${infoPct}%;background:var(--info)'></div>" } else { "" }
+
+            $chartRows += "<div class='chart-row'><span class='chart-label'>$catChartName</span><div class='chart-bar-bg'>$critSeg$warnSeg$infoSeg</div><span class='chart-count'>$catTotalC</span></div>"
+        }
+        $categoryChartHtml = "<div class='category-chart'>$chartRows</div>"
+    }
+
     $html = @"
 <!DOCTYPE html>
 <html lang="en">
@@ -389,6 +426,14 @@ function Generate-HtmlReport {
         .stat-total .stat-value { color: var(--text-primary); }
         .stat-suppressed .stat-value { color: var(--text-secondary); }
 
+        /* -- Category Chart -- */
+        .category-chart { background: var(--bg-card); border: 1px solid var(--border); border-radius: 8px; padding: 1rem 1.5rem; margin-bottom: 1.5rem; max-height: 200px; overflow-y: auto; }
+        .chart-row { display: flex; align-items: center; gap: 0.75rem; padding: 0.3rem 0; font-size: 0.8rem; }
+        .chart-label { flex: 0 0 200px; color: var(--text-secondary); white-space: nowrap; overflow: hidden; text-overflow: ellipsis; }
+        .chart-bar-bg { flex: 1; height: 14px; background: var(--bg-secondary); border-radius: 4px; display: flex; overflow: hidden; }
+        .chart-bar-segment { height: 100%; }
+        .chart-count { flex: 0 0 2rem; text-align: right; color: var(--text-muted); font-size: 0.75rem; }
+
         /* -- System Info -- */
         .system-info {
             background: var(--bg-card);
@@ -737,6 +782,8 @@ function Generate-HtmlReport {
             $(if ($SuppressedCount -gt 0) { "<div class=`"stat-card stat-suppressed`"><div class=`"stat-value`">$SuppressedCount</div><div class=`"stat-label`">Suppressed</div></div>" })
         </div>
 
+        ${categoryChartHtml}
+
         <div class="system-info">
             <div><span class="label">Computer</span><span class="value">$($SystemInfo.ComputerName)</span></div>
             <div><span class="label">User</span><span class="value">$($SystemInfo.Domain)\$($SystemInfo.UserName)</span></div>
diff --git a/modules/Check-DefenseEvasion.ps1 b/modules/Check-DefenseEvasion.ps1
@@ -245,4 +245,108 @@ function Invoke-DefenseEvasionChecks {
         Write-Verbose "Could not check Defender TamperProtection: $_"
     }
 
+    # ── 6. PowerShell Profile Injection ──────────────────────────────────
+
+    Write-Status "Checking PowerShell profiles for injection..."
+
+    try {
+        $profilePaths = @(
+            @{ Name = "AllUsersAllHosts";       Path = $PROFILE.AllUsersAllHosts },
+            @{ Name = "AllUsersCurrentHost";    Path = $PROFILE.AllUsersCurrentHost },
+            @{ Name = "CurrentUserAllHosts";    Path = $PROFILE.CurrentUserAllHosts },
+            @{ Name = "CurrentUserCurrentHost"; Path = $PROFILE.CurrentUserCurrentHost }
+        )
+
+        $suspiciousPatterns = @(
+            'Download',
+            'IEX\b',
+            'Invoke-Expression',
+            '\-[Ee]nc\b',
+            '\-EncodedCommand',
+            'Net\.WebClient',
+            'Start-Process\s+.*-WindowStyle\s+Hidden',
+            '[Hh]idden',
+            '[Bb]ypass',
+            'New-Object\s+System\.Net',
+            'DownloadString',
+            'DownloadFile',
+            'Invoke-WebRequest',
+            'Invoke-RestMethod',
+            'bitstransfer',
+            'FromBase64String'
+        )
+        $combinedPattern = ($suspiciousPatterns -join '|')
+
+        foreach ($profile in $profilePaths) {
+            if (-not $profile.Path -or -not (Test-Path $profile.Path)) { continue }
+
+            $content = Get-Content $profile.Path -Raw -ErrorAction SilentlyContinue
+            if (-not $content) { continue }
+
+            $matched = $suspiciousPatterns | Where-Object { $content -match $_ }
+            if ($matched) {
+                $fileInfo = Get-Item $profile.Path -ErrorAction SilentlyContinue
+                Add-Finding -Severity "WARNING" -Category "DefenseEvasion" `
+                    -Title "Suspicious PowerShell Profile: $($profile.Name)" `
+                    -Description "The PowerShell profile '$($profile.Name)' at '$($profile.Path)' contains suspicious patterns. Attackers inject code into PS profiles to execute malicious commands on every PowerShell session. Matched patterns: $($matched -join ', ')." `
+                    -Remediation "Review the profile content: Get-Content '$($profile.Path)'. Remove suspicious lines or rename the file." `
+                    -Details @{
+                        Path            = $profile.Path
+                        ProfileName     = $profile.Name
+                        FileSize        = if ($fileInfo) { $fileInfo.Length } else { 0 }
+                        LastModified    = if ($fileInfo) { $fileInfo.LastWriteTime } else { $null }
+                        MatchedPatterns = $matched
+                    } `
+                    -MITRE @("T1546.013")
+            }
+        }
+    } catch {
+        Write-Verbose "Could not check PowerShell profiles: $_"
+    }
+
+    # ── 7. Certificate Store Anomaly Detection ───────────────────────────
+
+    Write-Status "Checking root certificate store for anomalies..."
+
+    try {
+        $knownCAs = @(
+            'Microsoft', 'DigiCert', 'GlobalSign', 'Comodo', 'Sectigo', 'VeriSign',
+            'Symantec', 'GeoTrust', 'Thawte', "Let's Encrypt", 'ISRG Root', 'Entrust',
+            'GoDaddy', 'Starfield', 'Amazon', 'Baltimore CyberTrust', 'Cybertrust',
+            'QuoVadis', 'USERTrust', 'AAA Certificate Services', 'AddTrust', 'Certum',
+            'CNNIC', 'D-TRUST', 'eMudhra', 'E-Tugra', 'Hongkong Post', 'SECOM',
+            'SwissSign', 'T-TeleSec', 'TWCA', 'TeliaSonera', 'Actalis', 'Buypass',
+            'Certigna', 'IdenTrust', 'NetLock', 'OISTE', 'WISeKey', 'SSL.com',
+            'Trustwave', 'Staat der Nederlanden', 'Government', 'AC RAIZ', 'ACCVRAIZ',
+            'CFCA', 'XRamp'
+        )
+
+        $rootCerts = Get-ChildItem "Cert:\LocalMachine\Root" -ErrorAction SilentlyContinue
+        foreach ($cert in $rootCerts) {
+            $subjectOrFriendly = if ($cert.Subject) { $cert.Subject } else { $cert.FriendlyName }
+            $isKnown = $false
+            foreach ($ca in $knownCAs) {
+                if ($subjectOrFriendly -like "*$ca*") { $isKnown = $true; break }
+            }
+            if (-not $isKnown) {
+                $displayName = if ($cert.Subject -match 'CN=([^,]+)') { $Matches[1] } else { $cert.Subject.Substring(0, [math]::Min(60, $cert.Subject.Length)) }
+                Add-Finding -Severity "WARNING" -Category "DefenseEvasion" `
+                    -Title "Unknown Root CA: $displayName" `
+                    -Description "Root certificate '$($cert.Subject)' in Cert:\LocalMachine\Root is not in the well-known CA list. This could be a corporate proxy CA (benign) or a rogue certificate installed by malware to intercept HTTPS traffic via MITM." `
+                    -Remediation "Review the certificate in certlm.msc. If unexpected, remove it: Remove-Item 'Cert:\LocalMachine\Root\$($cert.Thumbprint)'" `
+                    -Details @{
+                        Subject      = $cert.Subject
+                        Thumbprint   = $cert.Thumbprint
+                        NotBefore    = $cert.NotBefore
+                        NotAfter     = $cert.NotAfter
+                        FriendlyName = $cert.FriendlyName
+                        Issuer       = $cert.Issuer
+                    } `
+                    -MITRE @("T1553.004")
+            }
+        }
+    } catch {
+        Write-Status "Could not check root certificate store: $_" -Color Yellow
+    }
+
 }
