What's New
New Detections
-
PowerShell Profile Injection (T1546.013) -- Scans all four
$PROFILEpaths for suspicious patterns (IEX, encoded commands, download cradles, bypass, etc.). Catches attackers who inject code into PS profiles to execute on every PowerShell session. -
Root Certificate Store Anomalies (T1553.004) -- Compares
Cert:\LocalMachine\Rootagainst 46 well-known CA name fragments (Microsoft, DigiCert, GlobalSign, Let's Encrypt, etc.). Flags unknown root CAs that could be rogue MITM certificates installed by malware or corporate proxies.
Report Improvements
-
Category Breakdown Chart -- New stacked horizontal bar chart between the stats grid and system info showing finding counts per module, broken down by severity (critical/warning/info). Pure CSS, no external dependencies.
-
Improved Remediation Click-to-Copy -- The click-to-copy regex now also catches system commands (
sfc /scannow,netsh,reg,certutil,dism, etc.) in addition to PowerShell cmdlets.
Upgrade
Just replace AmIHacked.ps1, lib/, and modules/ with the new versions. No config changes required.
Full Changelog: https://github.com/TMHSDigital/Am-I-Hacked/blob/main/CHANGELOG.md