🚀AutoRuns is a PowerShell module that will help do live incident response and enumerate autoruns artifacts that may be used by legitimate programs as well as malware to achieve persistence.
License: Other
Hey, awesome tool! Do you plan on supporting the loading and enumerating of user hives?
Avoid the Turkish-I problem or the impact of other languages when the module and its function are used in a different culture than en-US?
Get-PSAutorun -ScheduledTasks | ? Item -eq 'CleanupOldPerfLogs'
Path : C:\WINDOWS\system32\Tasks\Microsoft\Windows\Server Manager\CleanupOldPerfLogs
Item : CleanupOldPerfLogs
Category : Task
Value : %systemroot%\system32\cscript.exe /B /nologo %systemroot%\system32\calluxxprovider.vbs $(Arg0) $(Arg1)
$(Arg2)
ImagePath : C:\WINDOWS\system32\cscript.exe \B \nologo %systemroot%\system32\calluxxprovider.vbs
Size :
LastWriteTime :
Version :> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.17763.1
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17763.1
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1Get-PSAutorun -ScheduledTasks
Path : C:\Windows\system32\Tasks\\Disable DNS registration
Item : Disable DNS registration
Category : Task
Value : System.Object[] System.Object[]
ImagePath : System.Object[] System.Object[]
Size : 0
LastWriteTime :
Version :Display an entry per program executed
> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.17134.48
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17134.48
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1Get-PSAutorun -ScheduledTasks | ? { $_.Path -match "conexant" }
Path : C:\WINDOWS\system32\Tasks\Microsoft\Windows\Conexant\MicTray
Item : MicTray
Category : Task
Value : "C:\Windows\System32\MicTray64.exe"
ImagePath : C:\WINDOWS\system32\.exePath : C:\WINDOWS\system32\Tasks\Microsoft\Windows\Conexant\MicTray
Item : MicTray
Category : Task
Value : "C:\Windows\System32\MicTray64.exe"
ImagePath : C:\Windows\System32\MicTray64.exe
> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.18362.145
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.18362.145
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1No size, version... because of quotes for services located in ProgramData
Get-PSAutorun -ServicesAndDrivers
Path : HKLM:\System\CurrentControlSet\Services\WinDefend
Item : ImagePath
Category : Services
Value : "C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.18022-0\MsMpEng.exe"
ImagePath : "C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.18022-0\MsMpEng.exe"
Size :
LastWriteTime :
Version :> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.16299.251
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.16299.251
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1$profile | fl -ForceList the following if these files exist using a new category named PSProfiles
AllUsersAllHosts : C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1
AllUsersCurrentHost : C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1
CurrentUserAllHosts : C:\Users\local-user\Documents\WindowsPowerShell\profile.ps1
CurrentUserCurrentHost : C:\Users\local-user\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
They are not considered as a persistence mechanism...
> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.16299.248
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.16299.248
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1dir c:\windows\AppPatch\sysmain.sdb
dir "hklm:\software\microsoft\windows nt\currentversion\appcompatflags\installedsdb"
# Custom databases are stored in:
dir C:\windows\AppPatch\custom
dir c:\windows\AppPatch\AppPatch64\Custom
dir "hklm:\software\microsoft\windows nt\currentversion\appcompatflags\custom"List if any
See https://www.redcanary.com/blog/detecting-application-shimming/
They are considered as a persistence mechanism
https://attack.mitre.org/wiki/Technique/T1138
> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.16299.248
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.16299.248
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1Use this post https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
Check correctly every addition under RunOnceEx key
Not sure, test, test, test
Both on PS 5.1 and 6.0.2
> $PSVersionTable
Hi There,
I'm wondering how your tool parses unquoted service paths when enumerating services?
Example would be when SC Manager returns an entry for service binary path that is:
C:\Program Files\te.exe st\te -st.exe -param1 testing
The file path is not enclosed in quotes, and ' -' (space followed by dash) is a valid filename. 'te.exe st' is also a valid folder path. So you can't trim everything after ".exe" nor can you trim everything after " -".
An unquoted service path such as this is considered a local privilege escalation vulnerability, but I'd still like to be able to parse the path and ensure it is hashed. Does your implementation successfully hash such a service?
C:\WINDOWS\inf\unregmp2.exe not found
Get-PSAutorun -Logon| ? { -not($_.Size)}
Path : HKLM:\SOFTWARE\\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
Item : StubPath
Category : Logon
Value : C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ImagePath : C:\WINDOWS\inf\unregmp2.exe
Size :
LastWriteTime :
Version :The file unregmp2.exe exists under c:\Windows\System32 and c:\Windows\SysWOW64
> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.16299.251
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.16299.251
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1Get-PSAutorun -LSAsecurityProviders | ? Path -match 'OSConfig'$null
Path : HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig
Item : Security Packages
Category : LSA Providers
Value :
ImagePath : C:\WINDOWS\system32\.dll
Size :
LastWriteTime :
Version :
> $PSVersionTable
Name Value
---- -----
PSVersion 6.0.0
PSEdition Core
GitCommitId v6.0.0
OS Microsoft Windows 10.0.16299
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0See https://www.youtube.com/watch?v=wxmxxgL6Nz8
See https://specterops.io/.../SpecterOps_Subverting_Trust_in_Windows.pdf
See https://github.com/mattifestation/PoCSubjectInterfacePackage
See https://gist.github.com/mattifestation/439720e2379f4bc93f0ed3ce88814b5b
See https://www.youtube.com/watch?v=I3jCGBzMmzw
List registered trust providers
List registered subject interface packages (SIP)
> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.16299.248
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.16299.248
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1Get-PSAutorun -ScheduledTasks | ? Item -eq 'Server Manager Performance Monitor'
Path : C:\WINDOWS\system32\Tasks\Microsoft\Windows\PLA\Server Manager Performance Monitor
Item : Server Manager Performance Monitor
Category : Task
Value : %systemroot%\system32\rundll32.exe %systemroot%\system32\pla.dll,PlaHost "Server Manager Performance
Monitor" "$(Arg0)"
ImagePath : C:\WINDOWS\system32\%systemroot%\system32\pla.dll> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.17763.1
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17763.1
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Path : C:\WINDOWS\system32\Tasks\\Action!
Item : Action!
Category : Task
Value : C:\Program Files (x86)\Mirillis\Action!\Action.vbs
ImagePath : C:\Program Files (x86)\
Size : 1
LastWriteTime : 31/03/2018 11:57:43
Version :> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.16299.251
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.16299.251
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1Imagepath of a scheduled task is wrong when the target value uses localappdata variable
Get-PSAutorun -ScheduledTasks | ? Value -match 'localappdata' | fl Value,ImagePathValue : %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
ImagePath : $($env:localappdata)\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
Value : %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
ImagePath : C:\WINDOWS\system32\.exe
> $PSVersionTable
Name Value
---- -----
PSVersion 6.0.0
PSEdition Core
GitCommitId v6.0.0
OS Microsoft Windows 10.0.16299
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0Path : C:\WINDOWS\system32\Tasks\\logoff PS
Item : logoff PS
Category : Task
Value : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Exec Bypass -File
c:\windows\system32\logoff.ps1
ImagePath : C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
Size : 449024
LastWriteTime : 29/09/2017 15:43:19
Version : 10.0.16299.15What about detecting the script and not PowerShell.exe?
> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.16299.251
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.16299.251
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1 Get-PSAutorun -ScheduledTasks | ? { $_.value -match "conexant" }
Path : C:\WINDOWS\system32\Tasks\Microsoft\Windows\Conexant\SA3
Item : SA3
Category : Task
Value : "C:\Program Files\CONEXANT\SA3\HP-NB-AIO\SACpl.exe" /sa3 /nv:3.0+ /uid:HP-NB-AIO /s /dne
ImagePath : C:\Program Files\CONEXANT\SA3\HP-NB-AIO\SACpl.exe" \sa3 \nv:3.0Get rid of what appears behind .exe
Get-PSAutorun -ScheduledTasks | ? { $_.value -match "conexant" }
Path : C:\WINDOWS\system32\Tasks\Microsoft\Windows\Conexant\SA3
Item : SA3
Category : Task
Value : "C:\Program Files\CONEXANT\SA3\HP-NB-AIO\SACpl.exe" /sa3 /nv:3.0+ /uid:HP-NB-AIO /s /dne
ImagePath : C:\Program Files\CONEXANT\SA3\HP-NB-AIO\SACpl.exe> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.18362.145
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.18362.145
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1When ShowFileHash and VerifyDigitalSignature switches are used, don't drop items that have a problem with their ImagePath property because they may be malicious.
Get-PSAutorun -ShowFileHash -VerifyDigitalSignature> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.16299.251
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.16299.251
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1Get-PSAutorun -ScheduledTasks | ? Path -match 'ReplaceOMCert'
Path : C:\Windows\system32\Tasks\Microsoft\Windows\CertificateServicesClient\Notification\ReplaceOMCert
Item : ReplaceOMCert
Category : Task
Value : %SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -File "C:\Program Files\Microsoft Monitoring Agent\Agent\Tools\UpdateOMCert.ps1" -OldCertHash $(OldCertHash) -NewCertHash $(NewCertHash) -EventRecordId $(EventRecordId)
ImagePath : Agent\Agent\Tools\UpdateOMCert.ps1
Size :
LastWriteTime :
Version :The imagepath should contain the correct path to the ps1 script
> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.16299.431
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.16299.431
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1Get-PSAutorun -ServicesAndDrivers | ? { $null -eq $_.Lastwritetime }
Path : HKLM:\System\CurrentControlSet\Services\AsIO
Item : ImagePath
Category : Drivers
Value : SysWow64\drivers\AsIO.sys
ImagePath : SysWow64\drivers\AsIO.sys
Size :
LastWriteTime :
Version :
Path : HKLM:\System\CurrentControlSet\Services\AsUpIO
Item : ImagePath
Category : Drivers
Value : SysWow64\drivers\AsUpIO.sys
ImagePath : SysWow64\drivers\AsUpIO.sys
Size :
LastWriteTime :
Have the correct imagepath
> $PSVersionTable
PSVersion 5.1.17763.134
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17763.134
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Get-PSAutorun -WMI | ? Item -eq 'MSiSCSIInitiatorProvider'
Path : \\.\ROOT\WMI:__Win32Provider.Name='MSiSCSIInitiatorProvider'
Item : MSiSCSIInitiatorProvider
Category : WMI
Value : %SystemRoot%\System32\iscsiwmi.dll
ImagePath : %SystemRoot%\System32\iscsiwmi.dll
Size :
LastWriteTime :
Version :> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.17763.1
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17763.1
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1It seems that "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Startup is being queried
Use this post that contains an example https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
Other examples: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Get-PSAutorun -ServicesAndDrivers | ? Value -match 'Defender.+\.sys' | fl Value,ImagePathValue : \??\C:\ProgramData\Microsoft\Windows Defender\Definition
Updates\{26AAEA37-F8BB-41DA-90AF-F3428F460537}\MpKsl8ae2c888.sys
ImagePath : C:\ProgramData\Microsoft\Windows Defender\Definition
Updates\{26AAEA37-F8BB-41DA-90AF-F3428F460537}\MpKsl8ae2c888.sys
Value : \??\C:\ProgramData\Microsoft\Windows Defender\Definition
Updates\{26AAEA37-F8BB-41DA-90AF-F3428F460537}\MpKsl8ae2c888.sys
ImagePath : \??\C:\ProgramData\Microsoft\Windows Defender\Definition
Updates\{26AAEA37-F8BB-41DA-90AF-F3428F460537}\MpKsl8ae2c888.sys
> $PSVersionTable
Name Value
---- -----
PSVersion 6.0.0
PSEdition Core
GitCommitId v6.0.0
OS Microsoft Windows 10.0.16299
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0The following article talks about: Background Task Support in WSL
https://blogs.msdn.microsoft.com/commandline/2017/12/04/background-task-support-in-wsl/
Does or will the "Windows Subsystem for Linux" (WSL) provide a persistence mecanism?
Get-PSAutorun -ServicesAndDrivers | ? { $_.Size -eq 1 }
Path : HKLM:\System\CurrentControlSet\Services\ibtsiva
Item : ImagePath
Category : Services
Value : C:\Windows\system32\ibtsiva
ImagePath : C:\Windows\
Size : 1
LastWriteTime : 12/28/2018 2:10:35 AM
Version :Find C:\Windows\system32\ibtsiva.exe
> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.17763.134
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17763.134
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1Path : C:\WINDOWS\system32\Tasks\\action2
Item : action2
Category : Task
Value : "C:\Program Files\action.bat"
ImagePath : C:\Program Files\
Size : 1
LastWriteTime : 03/03/2018 11:00:24
Version :.bat is only one extension, let's also consider other extensions...
> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.16299.251
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.16299.251
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1From https://support.microsoft.com/en-us/help/197571/working-with-the-appinit-dlls-registry-value:
"The AppInit_DLLs value has type "REG_SZ." This value has to specify a NULL-terminated string of DLLs that is delimited by spaces or by commas. Because spaces are used as delimiters, do not use long file names. The system does not recognize semicolons as delimiters for these DLLs."
Your script does not handle comma or space delimited strings, but assumes there is only one string.
OfficeAddins don't have an imagepath when HKCU hive is in use
Get-PSAutorun -OfficeAddins | ? {-not($_.Size)}
Path : HKCU:\SOFTWARE\\Microsoft\Office\Excel\Addins
Item : AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1
Category : Office Addins
Value : {509E7382-B849-49A4-8A3F-BEAB7E7D904C}
ImagePath : {509e7382-b849-49a4-8a3f-beab7e7d904c}
Size :
LastWriteTime :
Version :
Path : HKCU:\SOFTWARE\\Microsoft\Office\Excel\Addins
Item : PowerPivotExcelClientAddIn.NativeEntry.1
Category : Office Addins
Value : {A2DBA3BE-42CC-4D0E-95FD-BCAA051BA798}
ImagePath : {a2dba3be-42cc-4d0e-95fd-bcaa051ba798}
Size :
LastWriteTime :
Version :
Path : HKCU:\SOFTWARE\\Microsoft\Office\PowerPoint\Addins
Item : OneNote.PowerPointAddinTakeNotesService
Category : Office Addins
Value : {3A7CAEBB-C5C3-4EFF-ADDF-C32663BDF8DA}
ImagePath : {3a7caebb-c5c3-4eff-addf-c32663bdf8da}
Size :
LastWriteTime :
Version :
Path : HKCU:\SOFTWARE\\Microsoft\Office\Word\Addins
Item : OneNote.WordAddinTakeNotesService
Category : Office Addins
Value : {C580A1B2-5915-4DC3-BE93-8A51F4CAB320}
ImagePath : {c580a1b2-5915-4dc3-be93-8a51f4cab320}
Size :
LastWriteTime :
Version :> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.16299.251
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.16299.251
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1No size, version for Known dlls where image path is set to C:\WINDOWS\Syswow64
Get-PSAutorun -KnownDLLs | ? Value -match "wow64" | ? { -not($_.Size)}
Path : HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs
Item : _Wow64
Category : Known Dlls
Value : Wow64.dll
ImagePath : C:\WINDOWS\Syswow64\Wow64.dll
Size :
LastWriteTime :
Version :
Path : HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs
Item : _Wow64cpu
Category : Known Dlls
Value : Wow64cpu.dll
ImagePath : C:\WINDOWS\Syswow64\Wow64cpu.dll
Size :
LastWriteTime :
Version :
Path : HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs
Item : _Wow64win
Category : Known Dlls
Value : Wow64win.dll
ImagePath : C:\WINDOWS\Syswow64\Wow64win.dll
Size :
LastWriteTime :
Version :These above dll files only exist in System32
NB: wowarmhw.dll (not listed here) is not found
> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.16299.251
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.16299.251
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1Imagepath almost empty for a scheduled task where the target dll file has many dots in its name
Get-PSAutorun -ScheduledTasks |
? Value -match 'Windows\.SharedPC\.AccountManager\.dll' |
fl Value,ImagePathValue : %windir%\System32\rundll32.exe %windir%\System32\Windows.SharedPC.AccountManager.dll,StartMaintenance
ImagePath : C:\WINDOWS\system32\Windows.SharedPC.AccountManager.dll
Value : %windir%\System32\rundll32.exe %windir%\System32\Windows.SharedPC.AccountManager.dll,StartMaintenance
ImagePath : C:\WINDOWS\system32\
> $PSVersionTable
Name Value
---- -----
PSVersion 6.0.0
PSEdition Core
GitCommitId v6.0.0
OS Microsoft Windows 10.0.16299
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0Defender related scheduled tasks don't have a correct imagepath
Get-PSAutorun -ScheduledTasks | ? Value -match "MpCmdRun" | ? { -not($_.Size)}
Path : C:\WINDOWS\system32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance
Item : Windows Defender Cache Maintenance
Category : Task
Value : C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.18022-0\MpCmdRun.exe -IdleTask -TaskName WdCacheMaintenance
ImagePath : C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.18022-0\MpCmdRun.exe -IdleTask -TaskName WdCacheMaintenance
Size :
LastWriteTime :
Version :
Path : C:\WINDOWS\system32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup
Item : Windows Defender Cleanup
Category : Task
Value : C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.18022-0\MpCmdRun.exe -IdleTask -TaskName WdCleanup
ImagePath : C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.18022-0\MpCmdRun.exe -IdleTask -TaskName WdCleanup
Size :
LastWriteTime :
Version :
Path : C:\WINDOWS\system32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan
Item : Windows Defender Scheduled Scan
Category : Task
Value : C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.18022-0\MpCmdRun.exe Scan -ScheduleJob -ScanTrigger 55
ImagePath : C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.18022-0\MpCmdRun.exe Scan -ScheduleJob -ScanTrigger 55
Size :
LastWriteTime :
Version :
Path : C:\WINDOWS\system32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification
Item : Windows Defender Verification
Category : Task
Value : C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.18022-0\MpCmdRun.exe -IdleTask -TaskName WdVerification
ImagePath : C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.18022-0\MpCmdRun.exe -IdleTask -TaskName WdVerification
Size :
LastWriteTime :
Version :> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.16299.251
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.16299.251
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1Use this post https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
The \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit value can be of the format:
C:\Windows\System32\userinit.exe,"C:\malware.exe",
Note: The trailing comma is necessary. It ensures that any settings added by another piece of software or GPO are delimited as necessary.
Your script does not take c:\malware.exe has a separate persistent item.
Get-PSAutorun -ScheduledTasks
Path : C:\Windows\system32\Tasks\\Test
Item : Test
Category : Task
Value : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File
"C:\Windows\TTest.ps1" -CustomParam
ImagePath : "C:\Windows\TTest.ps1
Size :
LastWriteTime :
Version :
Path : C:\Windows\system32\Tasks\\Test2
Item : Test2
Category : Task
Value : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File
"C:\Windows\TTest.ps1"
ImagePath : "C:\Windows\TTest.ps1
Size :
LastWriteTime :
Version :Notice the leading quote in the ImagePath property
Display the correct info in the ImagePath property
> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.17134.48
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17134.48
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1Image Hijacks: target imagepath is null for htmlfile command
Get-PSAutorun -ImageHijacks | ? Item -eq "htmlfile"
Path : HKLM:\SOFTWARE\Classes\htmlfile\shell\open\command
Item : htmlfile
Category : Image Hijacks
Value : "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1
ImagePath :
Size :
LastWriteTime :
Version :Should be C:\Program Files\Internet Explorer\IEXPLORE.EXE
> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.16299.251
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.16299.251
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1No size, version... because of quotes for services located in ProgramData
Get-PSAutorun -ServicesAndDrivers
Path : HKLM:\System\CurrentControlSet\Services\BEDaisy
Item : ImagePath
Category : Drivers
Value : \??\C:\Program Files (x86)\Common Files\BattlEye\BEDaisy.sys
ImagePath : \??\C:\Program Files (x86)\Common Files\BattlEye\BEDaisy.sys
Size :
LastWriteTime :
Version :Fortnite from Epic Games requires this ... kernel driver to stop cheaters 🙄
> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.16299.251
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.16299.251
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1Get-PSAutorun -ServicesAndDrivers | ? Path -match 'MMAExtensionHeartbeatService'
Path : HKLM:\System\CurrentControlSet\Services\MMAExtensionHeartbeatService
Item : ImagePath
Category : Services
Value : "C:\Packages\Plugins\Microsoft.EnterpriseCloud.Monitoring.MicrosoftMonitoringAgent\1.0.11081.4\MMAExtensionHeartbeatService.exe"
ImagePath : "C:\Packages\Plugins\Microsoft.EnterpriseCloud.Monitoring.MicrosoftMonitoringAgent\1.0.11081.4\MMAExtensionHeartbeatService.exe"
Size :
LastWriteTime :
Version :
No quotes in ImagePath
> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.16299.431
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.16299.431
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1The file isn't located in c:\program files\ but in 'C:\Program Files (x86)'
Get-PSAutorun -ScheduledTasks | ? {-not($_.Size)}
Path : C:\WINDOWS\system32\Tasks\Microsoft\Office\Office 15 Subscription Heartbeat
Item : Office 15 Subscription Heartbeat
Category : Task
Value : %ProgramFiles%\Common Files\Microsoft Shared\Office16\OLicenseHeartbeat.exe
ImagePath : C:\Program Files\Common Files\Microsoft Shared\Office16\OLicenseHeartbeat.exe
Size :
LastWriteTime :
Version :> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.16299.251
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.16299.251
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1No size, version if Drivers is in %programfile% and values has \??\ at the beginning
Get-PSAutorun -ServicesAndDrivers
Path : HKLM:\System\CurrentControlSet\Services\LGCoreTemp
Item : ImagePath
Category : Drivers
Value : \??\C:\Program Files\Logitech Gaming Software\Drivers\LgCoreTemp\lgcoretemp.sys
ImagePath : \??\C:\Program Files\Logitech Gaming Software\Drivers\LgCoreTemp\lgcoretemp.sys
Size :
LastWriteTime :
Version :
> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.16299.251
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.16299.251
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1Get-PSAutorun -ScheduledTasksTBD. In this case the script is inside the omitted -Command parameter scriptblock
Path : C:\WINDOWS\system32\Tasks\Microsoft\Windows\SMB\UninstallSMB1ClientTask
Item : UninstallSMB1ClientTask
Category : Task
Value : %windir%\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive
-NoProfile -WindowStyle Hidden "&
%windir%\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Client"
ImagePath : -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden "&
%windir%\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1
Size :
LastWriteTime :
Version :
Path : C:\WINDOWS\system32\Tasks\Microsoft\Windows\SMB\UninstallSMB1ServerTask
Item : UninstallSMB1ServerTask
Category : Task
Value : %windir%\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive
-NoProfile -WindowStyle Hidden "&
%windir%\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Server"
ImagePath : -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden "&
%windir%\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1
Size :
LastWriteTime :
Version :
Get-PSAutorun -ScheduledTasks | ? Item -eq "FODCleanupTask"
Path : C:\Windows\system32\Tasks\Microsoft\Windows\HelloFace\FODCleanupTask
Item : FODCleanupTask
Category : Task
Value : %WinDir%\System32\WinBioPlugIns\FaceFodUninstaller.exe
ImagePath : C:\Windows\system32\
Size : 1
LastWriteTime : 22/05/2018 17:37:57
Version :> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.17134.48
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17134.48
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1Get-PSAutorun -ScheduledTasksGet the correct ImagePath
Path : C:\WINDOWS\system32\Tasks\Lenovo\ImController\Lenovo iM Controller Monitor
Item : Lenovo iM Controller Monitor
Category : Task
Value : "%windir%\system32\ImController.InfInstaller.exe" -checkremoval
ImagePath : C:\WINDOWS\system32\.exe
Get-PSAutorun -WMIFix compatibility issue with PSCore 6.0
Get-WMIObject : The term 'Get-WMIObject' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again
> $PSVersionTable
Name Value
---- -----
PSVersion 6.0.0
PSEdition Core
GitCommitId v6.0.0
OS Microsoft Windows 10.0.16299
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0Get-PSAutorun -ExplorerAddons | ? Value -match 'Defender' | fl Value,ImagePathValue : "C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.17123-0\ShellExt.dll"
ImagePath : C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.17123-0\ShellExt.dll
Value : "C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.17123-0\ShellExt.dll"
ImagePath : C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.17123-0\ShellExt.dll
Value : "C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.17123-0\ShellExt.dll"
ImagePath : C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.17123-0\ShellExt.dll
Value : "C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.17123-0\ShellExt.dll"
ImagePath : C:\WINDOWS\system32\"C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.17123-0\ShellExt.dll"
Value : "C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.17123-0\ShellExt.dll"
ImagePath : C:\WINDOWS\system32\"C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.17123-0\ShellExt.dll"
Value : "C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.17123-0\ShellExt.dll"
ImagePath : C:\WINDOWS\system32\"C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.17123-0\ShellExt.dll"
> $PSVersionTable
Name Value
---- -----
PSVersion 6.0.0
PSEdition Core
GitCommitId v6.0.0
OS Microsoft Windows 10.0.16299
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0Rather than just indicating if a certificate is verified or not, it will be great to get the subject name and also who the certificate was issued by. While SignerCertificate.Subject returns the subject name, I am not sure how to get the issuer details.
Get-DscConfiguration
Get-DscConfigurationStatus
Get-DscLocalConfigurationManagerList mof files stored locally?
dir C:\Windows\system32\Configuration\*.mof
They are not considered as a persistence mechanism...
> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.16299.248
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.16299.248
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1Get-PSAutorun -Logon| ? {$_.Item -match 'OneNote\.lnk' }
Path : C:\Users\myuser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Item : Send to OneNote.lnk
Category : Logon
Value : C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE /tsr
ImagePath : C:\Program Files (x86)\
Size : 1
LastWriteTime : 22/06/2018 05:57:20Detect the correct path to ONENOTEM.EXE
> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.16299.492
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.16299.492
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.