name: Custom.Windows.Sysinternals.Autoruns2
description: |
Uses Sysinternals autoruns to scan the host.
Note this requires syncing the sysinternals binary from the host.
precondition: SELECT OS From info() where OS = 'windows'
parameters:
- name: All
type: bool
default: Y
- name: Boot execute
type: bool
- name: Codecs
type: bool
- name: Appinit DLLs
type: bool
- name: Explorer addons
type: bool
- name: Sidebar gadgets (Vista and higher)
type: bool
- name: Image hijacks
type: bool
- name: Internet Explorer addons
type: bool
- name: Known DLLs
type: bool
- name: Logon startups (this is the default)
type: bool
- name: WMI entries
type: bool
- name: Winsock protocol and network providers
type: bool
- name: Office addins
type: bool
- name: Printer monitor DLLs
type: bool
- name: LSA security providers
type: bool
- name: Autostart services and non-disabled drivers
type: bool
- name: Scheduled tasks
type: bool
- name: Winlogon entries
type: bool
- name: Verify digital signatures
type: bool
default: Y
- name: ToolInfo
type: hidden
description: Override Tool information.
sources:
- query: |
LET Flags = '''Option,Name
*,All
b,Boot execute
c,Codecs
d,Appinit DLLs
e,Explorer addons
g,Sidebar gadgets (Vista and higher)
h,Image hijacks
i,Internet Explorer addons
k,Known DLLs
l,Logon startups (this is the default)
m,WMI entries
n,Winsock protocol and network providers
o,Office addins
p,Printer monitor DLLs
r,LSA security providers
s,Autostart services and non-disabled drivers
t,Scheduled tasks
w,Winlogon entries
'''
LET Options = '''Option,Name
-s,Verify digital signatures
'''
-- The flags actually selected
LET flags = SELECT Option FROM parse_csv(accessor="data", filename=Flags)
WHERE get(field=Name)
-- The options actually selected
LET options = SELECT Option FROM parse_csv(accessor="data", filename=Options)
WHERE get(field=Name)
LET os_info <= SELECT Architecture FROM info()
// Get the path to the binary.
LET autoruns_path = 'C:\Windows\System32\Autoruns64.exe'
// Call the binary and return all its output in a single row.
LET output = SELECT * FROM execve(argv=[bin[0].OSPath,
'-nobanner', '-accepteula', '-t', '-a',
join(array=flags.Option, sep=""),
join(array=options.Option, sep=" "),
'-c', -- CSV output
'-h', -- Also calculate hashes
'*' -- All user profiles.
], length=10000000)
// Parse the CSV output and return it as rows. We can filter this further.
SELECT * FROM if(condition=bin,
then={
SELECT * FROM foreach(
row=output,
query={
SELECT * FROM parse_csv(filename=utf16(string=Stdout),
accessor="data")
})
})
name: Windows.Memory.HollowsHunter2
description: |
Use hollows_hunter to detect suspicious process injections.
Upload any findings to the server, including process dumps.
precondition:
SELECT OS From info() where OS = 'windows'
sources:
- name: Output
query: |
LET binaries = 'C:\Windows\System32\hollows_hunter64.exe'
SELECT *
FROM execve(argv=[binaries[0].FullPath,"/hooks",
"/json", "/dir", TempDir], sep="\n")
- name: Summary
query: |
LET LookupPid(pid) = SELECT Name, CommandLine, Exe FROM pslist(pid=pid)
SELECT *, LookupPid(pid=pid)[0] AS ProcessInfo
FROM foreach(row=parse_json(
data=read_file(filename=TempDir + "/summary.json")).suspicious)
- name: Uploads
query: |
SELECT upload(file=FullPath) AS Upload
FROM glob(globs="*", root=TempDir)
