Startup folder check, catch block logging, filterFindings fix (v0.4.7)

- Add startup folder persistence check (per-user + all-user, T1547.001)
- Replace 22 empty catch blocks with Write-Verbose across Check-Accounts,
  Check-DefenseEvasion, Check-FileSystem, and Helpers
- Fix filterFindings JS to pass button element instead of relying on
  implicit event variable
- Collapse redundant if/else branch in Check-FileSystem.ps1

Made-with: Cursor

Author: TMHSDigital

AmIHacked.ps1

@@ -80,7 +80,7 @@ if ($script:NonInteractive) {
 $script:RedactMap = @{}
 $script:SuppressedCount = 0
 
-$script:Version = "0.4.6"
+$script:Version = "0.4.7"
 
 # ── Helpers (loaded first) ───────────────────────────────────────────────────
 

CHANGELOG.md

@@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [0.4.7] - 2026-03-15
+
+### Added
+- **Startup folder persistence check** -- scans per-user and all-user startup folders for executables, scripts, and shortcuts (WARNING, T1547.001)
+
+### Fixed
+- **22 empty catch blocks** replaced with `Write-Verbose` across Check-Accounts.ps1, Check-DefenseEvasion.ps1, Check-FileSystem.ps1, and lib/Helpers.ps1 so failures are traceable with `-Verbose`
+- **Report filterFindings JS bug** -- implicit `event.target` replaced with explicit button element parameter, fixing potential strict-mode errors
+- **Redundant if/else in Check-FileSystem.ps1** -- collapsed identical branches for trusted-company severity assignment
+
 ## [0.4.6] - 2026-03-15
 
 ### Added

README.md

@@ -12,7 +12,7 @@
 [![PowerShell 5.1+](https://img.shields.io/badge/PowerShell-5.1%2B-0d1117?style=for-the-badge&logo=powershell&logoColor=5391FE)](https://docs.microsoft.com/powershell/)
 [![Windows 10/11](https://img.shields.io/badge/Windows-10%20%2F%2011-0d1117?style=for-the-badge&logo=windows&logoColor=white)](https://www.microsoft.com/windows)
 [![License: MIT](https://img.shields.io/badge/License-MIT-0d1117?style=for-the-badge&logoColor=white)](LICENSE)
-[![Version](https://img.shields.io/badge/Version-0.4.6-FF6B6B?style=for-the-badge)](#changelog)
+[![Version](https://img.shields.io/badge/Version-0.4.7-FF6B6B?style=for-the-badge)](#changelog)
 
 [![Zero Dependencies](https://img.shields.io/badge/Dependencies-Zero-0d1117?style=flat-square&labelColor=0d1117)](#)
 [![MITRE ATT&CK](https://img.shields.io/badge/MITRE%20ATT%26CK-40%2B%20Techniques-ff3333?style=flat-square&labelColor=0d1117)](#mitre-attck-coverage)
@@ -140,7 +140,7 @@ Baselines enable **change detection** — the most powerful signal for catching
 
 ```
 ---AMIHACKED-SUMMARY-JSON---
-{"verdict":"CAUTION","critical":0,"warning":3,"info":12,"suppressed":0,"total":15,"duration":28.4,"reportPath":"...","version":"0.4.6"}
+{"verdict":"CAUTION","critical":0,"warning":3,"info":12,"suppressed":0,"total":15,"duration":28.4,"reportPath":"...","version":"0.4.7"}
 ```
 
 - Exit code reflects findings: **0** = clean, **1** = warnings only, **2** = critical findings detected

lib/Helpers.ps1

@@ -539,7 +539,9 @@ function Compare-Baseline {
             } else {
                 $baselineAge = " ($([math]::Floor($age.TotalHours))h ago)"
             }
-        } catch {}
+        } catch {
+            Write-Verbose "Could not parse baseline timestamp: $_"
+        }
 
         Write-Status "Baseline: $($old.Timestamp)$baselineAge" -Color Gray
 
@@ -605,7 +607,9 @@ function Compare-Baseline {
                             -MITRE @("T1547.001")
                     }
                 }
-            } catch {}
+            } catch {
+                Write-Verbose "Could not read Run key '$keyPath' for baseline comparison: $_"
+            }
         }
 
         Write-Status "Baseline comparison complete."

lib/ReportGenerator.ps1

@@ -745,10 +745,10 @@ function Generate-HtmlReport {
         </div>
 
         <div class="filter-bar">
-            <button class="filter-btn active" onclick="filterFindings('all')">All ($totalCount)</button>
-            <button class="filter-btn" onclick="filterFindings('critical')">Critical ($critCount)</button>
-            <button class="filter-btn" onclick="filterFindings('warning')">Warning ($warnCount)</button>
-            <button class="filter-btn" onclick="filterFindings('info')">Info ($infoCount)</button>
+            <button class="filter-btn active" onclick="filterFindings(this, 'all')">All ($totalCount)</button>
+            <button class="filter-btn" onclick="filterFindings(this, 'critical')">Critical ($critCount)</button>
+            <button class="filter-btn" onclick="filterFindings(this, 'warning')">Warning ($warnCount)</button>
+            <button class="filter-btn" onclick="filterFindings(this, 'info')">Info ($infoCount)</button>
         </div>
 
         ${findingsHtml}
@@ -780,9 +780,9 @@ function Generate-HtmlReport {
             }
         }
 
-        function filterFindings(level) {
+        function filterFindings(btn, level) {
             document.querySelectorAll('.filter-btn').forEach(b => b.classList.remove('active'));
-            event.target.classList.add('active');
+            btn.classList.add('active');
             document.querySelectorAll('.finding').forEach(f => {
                 f.style.display = (level === 'all' || f.dataset.severity === level) ? 'block' : 'none';
             });

modules/Check-Accounts.ps1

@@ -204,7 +204,9 @@ function Invoke-AccountsChecks {
                 } `
                 -MITRE @("T1021.001")
         }
-    } catch {}
+    } catch {
+        Write-Verbose "Could not read RDP session history: $_"
+    }
 
     # ── 5. Event Log Clearing Detection ──────────────────────────────────
 
@@ -240,7 +242,9 @@ function Invoke-AccountsChecks {
                     -MITRE @("T1070.001")
             }
         }
-    } catch {}
+    } catch {
+        Write-Verbose "Could not check event log clearing events: $_"
+    }
 
     # ── 6. Credential Dumping Artifacts ──────────────────────────────────
 
@@ -315,6 +319,8 @@ function Invoke-AccountsChecks {
                 -Remediation "Enable LSA Protection: Set registry HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL to 1 and reboot." `
                 -MITRE @("T1003.001")
         }
-    } catch {}
+    } catch {
+        Write-Verbose "Could not check LSA protection: $_"
+    }
 
 }

modules/Check-DefenseEvasion.ps1

@@ -61,7 +61,9 @@ function Invoke-DefenseEvasionChecks {
                 -Details @{ Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender"; Value = 1 } `
                 -MITRE @("T1562.001")
         }
-    } catch {}
+    } catch {
+        Write-Verbose "Could not check Defender DisableAntiSpyware policy: $_"
+    }
 
     $amsiDll = "$env:SystemRoot\System32\amsi.dll"
     if (Test-Path $amsiDll) {
@@ -87,7 +89,9 @@ function Invoke-DefenseEvasionChecks {
                 -Remediation "Re-register Windows Defender as an AMSI provider. Run 'sfc /scannow' and ensure Defender is properly installed." `
                 -MITRE @("T1562.001")
         }
-    } catch {}
+    } catch {
+        Write-Verbose "Could not enumerate AMSI providers: $_"
+    }
 
     try {
         $amsiEnable = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows Script\Settings" -Name "AmsiEnable" -ErrorAction SilentlyContinue
@@ -99,7 +103,9 @@ function Invoke-DefenseEvasionChecks {
                 -Details @{ Key = "HKLM:\SOFTWARE\Microsoft\Windows Script\Settings\AmsiEnable"; Value = 0 } `
                 -MITRE @("T1562.001")
         }
-    } catch {}
+    } catch {
+        Write-Verbose "Could not check AMSI Windows Script Settings: $_"
+    }
 
     try {
         $sbl = Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -ErrorAction SilentlyContinue
@@ -111,7 +117,9 @@ function Invoke-DefenseEvasionChecks {
                 -Details @{ Key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging"; Value = "absent or 0" } `
                 -MITRE @("T1562.002")
         }
-    } catch {}
+    } catch {
+        Write-Verbose "Could not check ScriptBlockLogging policy: $_"
+    }
 
     # ── 3. Windows Defender Real-Time Protection ─────────────────────────
 
@@ -169,7 +177,9 @@ function Invoke-DefenseEvasionChecks {
                 -Details @{ CurrentValue = $etwSecurity.Start; ExpectedValue = 1 } `
                 -MITRE @("T1562.002")
         }
-    } catch {}
+    } catch {
+        Write-Verbose "Could not check ETW Security autologger: $_"
+    }
 
     try {
         $disabledLoggers = @(
@@ -186,7 +196,9 @@ function Invoke-DefenseEvasionChecks {
                     -MITRE @("T1562.002")
             }
         }
-    } catch {}
+    } catch {
+        Write-Verbose "Could not check ETW Application/System autologgers: $_"
+    }
 
     # ── 5. Tamper Protection Check ───────────────────────────────────────
 
@@ -201,6 +213,8 @@ function Invoke-DefenseEvasionChecks {
                 -Remediation "Enable Tamper Protection through Windows Security > Virus & threat protection settings." `
                 -MITRE @("T1562.001")
         }
-    } catch {}
+    } catch {
+        Write-Verbose "Could not check Defender TamperProtection: $_"
+    }
 
 }

modules/Check-FileSystem.ps1

@@ -133,11 +133,7 @@ function Invoke-FileSystemChecks {
                     } elseif ($hasValidSig) {
                         $severity = "INFO"
                     } elseif ($versionInfo -and (Test-IsTrustedCompany $versionInfo.CompanyName)) {
-                        if ($inTrustedDir) {
-                            $severity = "WARNING"
-                        } else {
-                            $severity = "WARNING"
-                        }
+                        $severity = "WARNING"
                     } elseif (-not $hasValidSig) {
                         if ($inTrustedDir) {
                             $severity = "WARNING"
@@ -302,7 +298,9 @@ function Invoke-FileSystemChecks {
                         -MITRE @("T1564.004")
                 }
             }
-        } catch {}
+        } catch {
+            Write-Verbose "Could not scan alternate data streams in $dir : $_"
+        }
     }
 
     if ($adsCount -eq 0) {
@@ -338,7 +336,9 @@ function Invoke-FileSystemChecks {
                     } `
                     -MITRE @("T1555.003","T1560.001")
             }
-        } catch {}
+        } catch {
+            Write-Verbose "Could not scan browser profile '$profileDir': $_"
+        }
     }
 
     $stealerPatterns = @("passwords.txt", "credentials.txt", "wallets.txt", "cookies.txt", "autofill.txt", "credit_cards.txt")
@@ -356,7 +356,9 @@ function Invoke-FileSystemChecks {
                     -MITRE @("T1555","T1005")
             }
         }
-    } catch {}
+    } catch {
+        Write-Verbose "Could not check info-stealer artifacts in temp: $_"
+    }
 
     $walletPaths = @(
         "$env:APPDATA\Electrum\wallets",
@@ -379,7 +381,9 @@ function Invoke-FileSystemChecks {
                     -Details @{ Path = $wp; FilesAccessed = $recentAccess.Count } `
                     -MITRE @("T1005","T1555")
             }
-        } catch {}
+        } catch {
+            Write-Verbose "Could not check wallet file access at '$wp': $_"
+        }
     }
 
     # ── 6. Persistence via Common Autorun Locations ──────────────────────
@@ -449,7 +453,44 @@ function Invoke-FileSystemChecks {
                         -MITRE @("T1547.001")
                 }
             }
-        } catch {}
+        } catch {
+            Write-Verbose "Could not read autorun key '$key': $_"
+        }
+    }
+
+    # ── 6b. Startup Folder Executables ───────────────────────────────────
+
+    Write-Status "Checking startup folder contents..."
+
+    $startupFolders = @(
+        "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup",
+        "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"
+    )
+    $startupExtensions = @('.exe', '.bat', '.cmd', '.vbs', '.ps1', '.lnk')
+
+    foreach ($startupFolder in $startupFolders) {
+        if (-not (Test-Path $startupFolder)) { continue }
+        try {
+            $startupItems = Get-ChildItem $startupFolder -File -ErrorAction SilentlyContinue |
+                Where-Object { $startupExtensions -contains $_.Extension.ToLower() }
+
+            foreach ($item in $startupItems) {
+                Add-Finding -Severity "WARNING" -Category "FileSystem" `
+                    -Title "Startup Folder Entry: $($item.Name)" `
+                    -Description "Found '$($item.Name)' in startup folder '$startupFolder'. Files placed here execute automatically at user logon. Verify this is a legitimate application." `
+                    -Remediation "If unexpected, remove: Remove-Item '$($item.FullName)'" `
+                    -Details @{
+                        Path     = $item.FullName
+                        Folder   = $startupFolder
+                        Size     = Format-ByteSize $item.Length
+                        Modified = $item.LastWriteTime
+                        Created  = $item.CreationTime
+                    } `
+                    -MITRE @("T1547.001")
+            }
+        } catch {
+            Write-Verbose "Could not scan startup folder '$startupFolder': $_"
+        }
     }
 
     # ── 7. Advanced Persistence: IFEO, AppInit_DLLs, Winlogon ────────────
@@ -474,7 +515,9 @@ function Invoke-FileSystemChecks {
                     -MITRE @("T1546.012")
             }
         }
-    } catch {}
+    } catch {
+        Write-Verbose "Could not check IFEO debugger keys: $_"
+    }
 
     try {
         $appInitReg = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" -ErrorAction SilentlyContinue
@@ -486,7 +529,9 @@ function Invoke-FileSystemChecks {
                 -Details @{ DLLs = $appInitReg.AppInit_DLLs; LoadEnabled = $appInitReg.LoadAppInit_DLLs } `
                 -MITRE @("T1546.010")
         }
-    } catch {}
+    } catch {
+        Write-Verbose "Could not check AppInit_DLLs: $_"
+    }
 
     try {
         $winlogon = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -ErrorAction SilentlyContinue
@@ -510,7 +555,9 @@ function Invoke-FileSystemChecks {
                     -MITRE @("T1547.004")
             }
         }
-    } catch {}
+    } catch {
+        Write-Verbose "Could not check Winlogon keys: $_"
+    }
 
     # ── 8. COM Hijacking ─────────────────────────────────────────────────
 
@@ -559,9 +606,13 @@ function Invoke-FileSystemChecks {
                         } `
                         -MITRE @("T1546.015")
                 }
-            } catch {}
+            } catch {
+                Write-Verbose "Could not inspect CLSID '$($clsid.PSChildName)': $_"
+            }
         }
-    } catch {}
+    } catch {
+        Write-Verbose "Could not enumerate HKCU COM CLSID keys: $_"
+    }
 
     # ── 9. WMI Persistence ───────────────────────────────────────────────
 
@@ -635,7 +686,9 @@ function Invoke-FileSystemChecks {
                     -MITRE @("T1546.003")
             }
         }
-    } catch {}
+    } catch {
+        Write-Verbose "Could not enumerate WMI namespaces: $_"
+    }
 
     # ── 10. Scheduled Tasks Check ────────────────────────────────────────
 
@@ -706,7 +759,9 @@ function Invoke-FileSystemChecks {
                             -MITRE @("T1053.005")
                     }
                 }
-            } catch {}
+            } catch {
+                Write-Verbose "Could not inspect task '$($task.TaskName)': $_"
+            }
         }
     } catch {
         Write-Status "Could not enumerate scheduled tasks." -Color Yellow
@@ -722,7 +777,9 @@ function Invoke-FileSystemChecks {
             $apiTaskNames = @()
             try {
                 $apiTaskNames = Get-ScheduledTask -ErrorAction SilentlyContinue | ForEach-Object { $_.TaskName }
-            } catch {}
+            } catch {
+                Write-Verbose "Could not enumerate scheduled tasks via API: $_"
+            }
 
             function Walk-TaskCache {
                 param([string]$Path, [string]$TaskPathPrefix)