v0.5.0

What's New

New Detections

• PowerShell Profile Injection (T1546.013) -- Scans all four $PROFILE paths for suspicious patterns (IEX, encoded commands, download cradles, bypass, etc.). Catches attackers who inject code into PS profiles to execute on every PowerShell session.

• Root Certificate Store Anomalies (T1553.004) -- Compares Cert:\LocalMachine\Root against 46 well-known CA name fragments (Microsoft, DigiCert, GlobalSign, Let's Encrypt, etc.). Flags unknown root CAs that could be rogue MITM certificates installed by malware or corporate proxies.

Report Improvements

• Category Breakdown Chart -- New stacked horizontal bar chart between the stats grid and system info showing finding counts per module, broken down by severity (critical/warning/info). Pure CSS, no external dependencies.

• Improved Remediation Click-to-Copy -- The click-to-copy regex now also catches system commands (sfc /scannow, netsh, reg, certutil, dism, etc.) in addition to PowerShell cmdlets.

Upgrade

Just replace AmIHacked.ps1, lib/, and modules/ with the new versions. No config changes required.

Full Changelog: https://github.com/TMHSDigital/Am-I-Hacked/blob/main/CHANGELOG.md

v0.4.9 -- WinRM/SSH Detection, Report Hardening

Added

• WinRM listener detection -- flags ports 5985/5986 if not in TrustedPorts (WARNING, T1021.006)
• SSH listener detection -- flags port 22 if not in TrustedPorts (INFO, T1021.004)
• Test assertions -- Assert-FindingCount for Network and DefenseEvasion modules

Fixed

• TrustedCompanies config drift -- Get-DefaultConfig expanded from 9 to 38 entries, synced with config.example.json
• Report HTML injection hardening -- finding details now use [System.Net.WebUtility]::HtmlEncode() instead of manual </> replacement
• Score formula documented -- added comment explaining penalty weights and cap behavior

v0.4.8 -- Configurable Limits, PS Logging Checks, Report Improvements

Added

• Configurable network/API limits -- BackdoorPorts, KnownDNSServers, AbuseIPDBMaxChecks, MaxVTLookups config fields with sensible defaults; commonPorts now uses TrustedPorts from config
• Module Logging detection -- flags when PowerShell Module Logging is not enabled (INFO, T1562.002)
• Transcription detection -- flags when PowerShell Transcription is not enabled (INFO, T1562.002)
• Report suppressed count -- HTML report stats grid shows a "Suppressed" card when findings have been suppressed via config
• README -- documented all new config fields in the configuration options table

v0.4.7 -- Startup Folder Check, Error Tracing, Report Fix

Added

• Startup folder persistence check -- scans per-user and all-user startup folders for executables, scripts, and shortcuts (WARNING, T1547.001)

Fixed

• 22 empty catch blocks replaced with Write-Verbose across Check-Accounts.ps1, Check-DefenseEvasion.ps1, Check-FileSystem.ps1, and lib/Helpers.ps1 so failures are traceable with -Verbose
• Report filterFindings JS bug -- implicit event.target replaced with explicit button element parameter
• Redundant if/else in Check-FileSystem.ps1 -- collapsed identical branches for trusted-company severity assignment

v0.4.6 -- Error Handling, ServiceWhitelist, Test Coverage

Added

• ServiceWhitelist implementation -- config field now applied in service analysis to skip whitelisted services
• Test assertions -- Assert-FindingCount helper, double-extension detection, category coverage, severity/remediation/MITRE field validation, CIMode JSON suppressed key check

Fixed

• Error handling -- replaced silent empty catch {} blocks with Write-Verbose/Write-Status/Write-Warning in Check-Network.ps1, Helpers.ps1, and AmIHacked.ps1
• New-DefaultConfig $PSScriptRoot fix -- default path now resolves correctly to project root instead of lib/

v0.4.5 -- Repo Audit Cleanup

Dead code removal, documentation fixes, and default config improvements.

Fixed

• Removed unused \Get-ProcessParentId, \Get-ProcessCommandLine\ from Helpers.ps1
• Removed unused \\ from ReportGenerator.ps1
• Removed unused \\ parameter from CI summary writer
• Removed unreachable whitelist guard in Check-Processes.ps1
• Added \TrustedAppDirs\ and \Suppressions\ defaults to \Get-DefaultConfig\ so configless runs don't silently skip filtering
• Updated README CI JSON example with \suppressed\ key and correct version
• Added 0.4.x to SECURITY.md supported versions

Changed

• \ix-bom.ps1\ now tracked in repo (updated to use \C:\Users\16mat\AppData\Local\Temp)

v0.4.4

Finding Suppression System - Users can silence known-benign findings by adding pattern matches to config. Suppressed count appears in the summary box and CI JSON output.

v0.4.3

New Detection & UX Improvements

Added

• AMSI registry checks -- detects AmsiEnable=0 (CRITICAL, T1562.001) and missing PowerShell Script Block Logging (INFO, T1562.002)
• PS.Security preflight -- warns at scan startup when signature verification is unavailable, listing affected checks
• -SkipModules Baseline -- baseline comparison is now skippable for faster targeted scans
• ASCII verdict box in CI mode -- non-interactive output avoids Unicode encoding issues in piped/agent terminals
• Pre-commit hook -- .githooks/pre-commit enforces UTF-8 BOM on all .ps1 files

Fixed

• Unsigned process false positives -- TrustedAppDirs config now applies to process checks (eliminates false CRITICALs for Git, dev tools, etc.)
• Ephemeral port baseline noise -- ports 49152-65535 excluded from baseline diffs
• Added Git\usr\bin to default TrustedAppDirs

v0.4.2

False-Positive Reduction & Reliability

Warning count drops from ~52 to ~24 on a typical developer workstation.

Fixed

• AMSI false CRITICAL -- Get-FileSignature now returns a CheckFailed sentinel when PS.Security module can't load, instead of treating it as an unsigned file
• Scanner self-contamination -- remoteIpMoProxy_* temp files from the scanner's own CIM/WMI calls no longer flagged
• Stale COM registrations -- HKCU COM overrides where the DLL no longer exists are skipped (can't be exploited)
• Known-legitimate scheduled tasks -- OneDrive, Opera, Zoom, Discord, Teams updaters no longer flagged as persistence
• Per-user session services -- baseline diffs skip Windows per-user instances (e.g. AarSvc_ddff8)
• $args shadowing -- renamed to $taskArgs in scheduled task checks
• Restored Unicode box-drawing on verdict summary border

v0.4.1

Fixes

• UTF-8 BOM -- all .ps1 files now use UTF-8 BOM encoding, fixing parse errors on PowerShell 5.1 where non-ASCII characters (checkmarks, box-drawing) were misinterpreted as string delimiters
• $PSScriptRoot in param() -- path parameter defaults no longer reference $PSScriptRoot (unavailable during param() evaluation with powershell.exe -File); resolved in the script body instead

Both issues were discovered during AI agent integration testing of v0.4.0's -CIMode feature.