name: Custom.Windows.Sysinternals.Autoruns2 description: | Uses Sysinternals autoruns to scan the host. Note this requires syncing the sysinternals binary from the host. precondition: SELECT OS From info() where OS = 'windows' parameters: - name: All type: bool default: Y - name: Boot execute type: bool - name: Codecs type: bool - name: Appinit DLLs type: bool - name: Explorer addons type: bool - name: Sidebar gadgets (Vista and higher) type: bool - name: Image hijacks type: bool - name: Internet Explorer addons type: bool - name: Known DLLs type: bool - name: Logon startups (this is the default) type: bool - name: WMI entries type: bool - name: Winsock protocol and network providers type: bool - name: Office addins type: bool - name: Printer monitor DLLs type: bool - name: LSA security providers type: bool - name: Autostart services and non-disabled drivers type: bool - name: Scheduled tasks type: bool - name: Winlogon entries type: bool - name: Verify digital signatures type: bool default: Y - name: ToolInfo type: hidden description: Override Tool information. sources: - query: | LET Flags = '''Option,Name *,All b,Boot execute c,Codecs d,Appinit DLLs e,Explorer addons g,Sidebar gadgets (Vista and higher) h,Image hijacks i,Internet Explorer addons k,Known DLLs l,Logon startups (this is the default) m,WMI entries n,Winsock protocol and network providers o,Office addins p,Printer monitor DLLs r,LSA security providers s,Autostart services and non-disabled drivers t,Scheduled tasks w,Winlogon entries ''' LET Options = '''Option,Name -s,Verify digital signatures ''' -- The flags actually selected LET flags = SELECT Option FROM parse_csv(accessor="data", filename=Flags) WHERE get(field=Name) -- The options actually selected LET options = SELECT Option FROM parse_csv(accessor="data", filename=Options) WHERE get(field=Name) LET os_info <= SELECT Architecture FROM info() // Get the path to the binary. LET autoruns_path = 'C:\Windows\System32\Autoruns64.exe' // Call the binary and return all its output in a single row. LET output = SELECT * FROM execve(argv=[bin[0].OSPath, '-nobanner', '-accepteula', '-t', '-a', join(array=flags.Option, sep=""), join(array=options.Option, sep=" "), '-c', -- CSV output '-h', -- Also calculate hashes '*' -- All user profiles. ], length=10000000) // Parse the CSV output and return it as rows. We can filter this further. SELECT * FROM if(condition=bin, then={ SELECT * FROM foreach( row=output, query={ SELECT * FROM parse_csv(filename=utf16(string=Stdout), accessor="data") }) })
name: Windows.Memory.HollowsHunter2 description: | Use hollows_hunter to detect suspicious process injections. Upload any findings to the server, including process dumps. precondition: SELECT OS From info() where OS = 'windows' sources: - name: Output query: | LET binaries = 'C:\Windows\System32\hollows_hunter64.exe' SELECT * FROM execve(argv=[binaries[0].FullPath,"/hooks", "/json", "/dir", TempDir], sep="\n") - name: Summary query: | LET LookupPid(pid) = SELECT Name, CommandLine, Exe FROM pslist(pid=pid) SELECT *, LookupPid(pid=pid)[0] AS ProcessInfo FROM foreach(row=parse_json( data=read_file(filename=TempDir + "/summary.json")).suspicious) - name: Uploads query: | SELECT upload(file=FullPath) AS Upload FROM glob(globs="*", root=TempDir)