p0w3rsh3ll / Autoruns
Programming Languages
AutoRuns PowerShell Module
AutoRuns module was designed to help do live incident response and enumerate autoruns artifacts that may be used by legitimate programs as well as malware to achieve persistence.
Table of Contents
Usage
Install the module
# Check the mmodule on powershellgallery.com
Find-Module -Name Autoruns -Repository PSGallery
Version Name Repository Description
------- ---- ---------- -----------
13.98 AutoRuns PSGallery AutoRuns is a module ...
# Save the module locally in Downloads folder
Save-Module -Name AutoRuns -Repository PSGallery -Path ~/Downloads
Stop and please review the content of the module, I mean the code to make sure it's trustworthy :-)
You can also verify that the SHA256 hashes of downloaded files match those stored in the catalog file
$HT = @{
CatalogFilePath = "~/Downloads/AutoRuns/13.98/AutoRuns.cat"
Path = "~/Downloads/AutoRuns/13.98"
Detailed = $true
FilesToSkip = 'PSGetModuleInfo.xml'
}
Test-FileCatalog @HT
# Import the module
Import-Module ~/Downloads/AutoRuns/13.98/AutoRuns.psd1 -Force -Verbose
Check the command available
Get-Command -Module AutoRuns
CommandType Name Version Source
----------- ---- ------- ------
Function Get-PSAutorun 13.98 AutoRuns
Find the syntax
# View the syntax
Get-Command Get-PSAutorun -Syntax
Get-PSAutorun [-All] [-BootExecute] [-AppinitDLLs] [-ExplorerAddons] [-ImageHijacks] [-InternetExplorerAddons] [-KnownDLLs] [-Logon] [-Winsock] [-Codecs] [-OfficeAddins] [-PrintMonitorDLLs] [-LSAsecurityProviders] [-ServicesAndDrivers] [-ScheduledTasks] [-Winlogon] [-WMI] [-PSProfiles] [-ShowFileHash] [-VerifyDigitalSignature] [-User <string>] [<CommonParameters>]
Get-PSAutorun [-All] [-BootExecute] [-AppinitDLLs] [-ExplorerAddons] [-ImageHijacks] [-InternetExplorerAddons] [-KnownDLLs] [-Logon] [-Winsock] [-Codecs] [-OfficeAddins] [-PrintMonitorDLLs] [-LSAsecurityProviders] [-ServicesAndDrivers] [-ScheduledTasks] [-Winlogon] [-WMI] [-PSProfiles] [-Raw] [-User <string>] [<CommonParameters>]
View examples provided in the help
# Get examples from the help
Get-Help Get-PSAutorun -Examples
NAME
Get-PSAutorun
SYNOPSIS
Get Autorun entries.
-------------------------- EXAMPLE 1 --------------------------
PS C:\>Get-PSAutorun -BootExecute -AppinitDLLs
-------------------------- EXAMPLE 2 --------------------------
PS C:\>Get-PSAutorun -KnownDLLs -LSAsecurityProviders -ShowFileHash
-------------------------- EXAMPLE 3 --------------------------
PS C:\>Get-PSAutorun -All -ShowFileHash -VerifyDigitalSignature
-------------------------- EXAMPLE 4 --------------------------
PS C:\>Get-PSAutorun -All -User * -ShowFileHash -VerifyDigitalSignature
Issues
-
What are registrations in the WMI\Default namespace introduced in Autoruns v13.7? see c7eab48c77f578e0dcff61d2b46a479b28225a56
-
If you run PowerShell 5.1 and Applocker in allow mode, you need to merge an appplocker rule to your local policy so that the digital signature of this module is trusted. With that in place, it will allow you to successfully load the module and use the function in an interactive shell where PowerShell language mode is set to ConstrainedLanguage.
if ($ExecutionContext.SessionState.LanguageMode -eq 'ConstrainedLanguage') {
Get-Content -Path AWL.xml
Set-AppLockerPolicy -XmlPolicy AWL.xml -Verbose -Merge
}
If your corporate admin has turned off local group policy objects processing on a domain joined device, you'll need to add the trusted publisher rule in a Domain group policy.
gp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' -Name DisableLGPOProcessing -EA 0
Todo
Coding best practices
- [x] Use PSScriptAnalyzer module to validate the code follows best practices
- [ ] Write Pester tests for this module
OS and Software compatibility
- [x] Test the module in PowerShell Core 6.x (latest)
- [x] Test the module in PowerShell Core 7.x (latest)
- [ ] Test the module on Nano and get rid of Add-Member cmdlet
- [ ] Test the module on various versions of Windows 10
- [ ] Test the module on Windows RT
- [ ] Review Office Add-ins code with Office x86 and x64 versions
General improvements
- [ ] Write a better implementation of the internal Get-RegValue function
- [ ] Review and improve regex used by the internal Get-PSPrettyAutorun function (ex: external paths)
New features
- [x] Replace HKCU and add an option to specify what user hive is being investigated
- [ ] Add timestamps on registry keys
- [ ] Analyze an offline image of Windows
Help
- [ ] More examples
- [ ] Use external help?
- [ ] Internationalization?
- [ ] Copy the commetented changelog at the end of the module in README.md
- [ ] Document issues and write a pester tests to validate the module behavior if fixed
Credits
Thanks go to:
-
@LeeHolmes:
- Improving common parameters 7fe8e7ea983325b5543da1300cb8a4636c7062ef
- Filtering OS binaries 8efb0fad4585ecd4517b55ff5b5cec91f7dd364a
Get-PSAutorun -VerifyDigitalSignature | ? { -not $_.IsOSBinary }
Other links
- https://live.sysinternals.com
- https://docs.microsoft.com/en-us/sysinternals
- https://docs.microsoft.com/en-us/archive/blogs/sysinternals
Original Autoruns.exe from Mark Russinovich
This release of Autoruns resolves an issue where Microsoft Defender binaries were being flagged as unsigned.
This Autoruns update adds support for user Shell folders redirections.
This Autoruns update fixes a bug that prevented the correct display of the target of image hosts such as svchost.exe, rundll32.exe, and cmd.exe.
This Autoruns update fixes a bug that prevented UserInitMprLogonScript from being scanned and by-default enables HCKU scanning for the console version.
Autoruns, a comprehensive Windows autostart entry point (ASEP) manager, now includes Runonce*\Depend keys and GPO logon and logoff locations, as well as fixes a bug in WMI path parsing.
This Autoruns release shows Onenote addins and fixes several bugs.
This update to Autoruns fixes a Wow64 bug in Autorunsc that could cause 32-bit paths to result in 'file not found' errors, and expands the set of images not considered part of Windows for the Windows filter in order to reveal malicious files masquerading as Windows images
This release of Autoruns, a utility for viewing and managing autostart execution points (ASEPs), adds additional autostart entry points, has asynchronous file saving, fixes a bug parsing 32-bit paths on 64-bit Windows, shows the display name for drivers and services, and fixes a bug in offline Virus Total scanning.
This update to Autoruns, a comprehensive autostart execution point manager, adds Microsoft HTML Application Host (mshta.exe) as hosting image so it displays the hosted image details, and now doesn’t apply filters to hosting images.
Autoruns, an autostart entry point management utility, now reports print providers, registrations in the WMI\Default namespace, fixes a KnownDLLs enumeration bug, and has improved toolbar usability on high-DPI displays.
This release of Autoruns, a comprehensive autostart entry manager, fixes a WMI command-line parsing bug, emits a UNICODE BOM in the file generated when saving results to a text file, and adds back the ability to selectively verify the signing status of individual entries.
This update to Autoruns, the most comprehensive autostart viewer and manager available for Windows, now shows 32-bit Office addins and font drivers, and enables resubmission of known images to Virus Total for a new scan.
Autoruns, the most comprehensive utility available for showing what executables, DLLs, and drivers are configured to automatically start and load, now reports Office addins, adds several additional autostart locations, and no longer hides hosting executables like cmd.exe, powershell.exe and others when Windows and Microsoft filters are in effect.
Autoruns, a utility that shows what processes, DLLs, and drivers are configured to automatically load, adds reporting of GP extension DLLs and now shows the target of hosting processes like cmd.exe and rundll32.exe.
In addition to bug fixes to CSV and XML output, Autorunsc introduces import-hash reporting, and Autoruns now excludes command-line and other host processes from the Microsoft and Windows filters.
This release fixes a bug in v13 that caused autostart entry lines not to show when you enter a filter string into the toolbar's filter control
This major update to Autoruns, an autostart execution point (ASEP) manager, now has integration with Virustotal.com to show the status of entries with respect to scans by over four dozen antimalware engines. It also includes a revamped scanning architecture that supports dynamic filters, including a free-form text filter, a greatly improved compare feature that highlights not just new items but deleted ones as well, and file saving and loading that preserves all the information of a scan
This update to Autoruns adds the registered HTML file extension, fixes a bug that could cause disabling of specific entry types to fail with a “path not found” error, and addresses another that could prevent the Jump-to-image function from opening the selected image on 64-bit Windows.
This fixes a bug that could cause Autoruns to crash on startup, updates the image path parsing for Installed Components to remove false positive file-not-found entries, and correctly reports image entry timestamps in local time instead of UTC.
This update to Autoruns, a utility that comes in Windows application and command-line forms, has numerous bug fixes, adds a profile attribute/column to CSV and XML output, and interprets the CodeBase value for COM object registrations.
This release of Autoruns, a Windows application and command-line utility for viewing autostart entries, now reports the presence of batch file and executable image entries in the WMI database, a vector used by some types of malware.
This release of Autoruns, a powerful utility for scanning and disabling autostart code, adds a new option to have it show only per-user locations, something that is useful when analyzing the autostarts of different accounts than the one that Autoruns is running under.
This release fixes a bug in version 11.61’s jump-to-image functionality.