Releases: p0w3rsh3ll/AutoRuns
Release version 14.0.2
Changes and fixes in this release 14.0.2
The module files aren't signed with a Digicert certificate anymore since version 14.0.1
Fixed issues:
- Issue 109: ImagePath for SID 500 is wrong #109
- Issue 110: Another anti-cheat driver #110
- Issue 112: Issue with FACEIT #112
- Issue 113: Issue with driver on another drive #113
- Issue 114: Scheduled task with .exe in SysWOW64 #114
- Issue 115: Scheduled task using %windir% #115
- Issue 116: Filepath for group policies #116
Release version 14.0.1
Changes and fixes in this release 14.0.1
The module files aren't signed with a Digicert certificate anymore
Fixed issues:
- Issue 98: PRM driver ImagePath #98
- Issue 100: WinSXS pending #100
- Issue 101: OneDrive Reporting task #101
- Issue 102: ImagePath of cmd based scheduled task #102
- Issue 103: Issue with firefox update task #103
- Issue 104: Issue with HP scheduled task #104
- Issue 105: Issue with HP scheduled task #105
- Issue 106: Issue with Office Feature Updates scheduled task #106
- Issue 107: Issue with the HP Consent Manager Launcher scheduled task #107
Release version 14.0
Changes and fixes in this release 14.0
# New in 14.0
HKLM\SOFTWARE\Microsoft\Windows CE Services\AutoStartDisconnect
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Wow6432Node\Microsoft\Ctf\LangBarAddin
HKLM\Software\Wow6432Node\Classes\Filter
HKCU\SOFTWARE\Wow6432Node\Microsoft\Office test\Special\Perf\(Default)
HKLM\SOFTWARE\Wow6432Node\Microsoft\Office test\Special\Perf\(Default)
# Was in 13.99
HKLM\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
Release version 13.99
Changes and fixes in this release 13.99
Fixed issues:
- Issue 87: Startup (shell folders and user shell folders) #87
# Back in 13.99
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Startup
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup
# Was in 13.88
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
C:\Users\local-user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
The registry key are back and show below the files present in these locations and their target (if its a .lnk)
- Issue 88: Logon new locations introduced in 13.99 #88
Not mentioned in the official release notes but the new 13.99 looks for the 2 new keys and values:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AltStartup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AltStartup
Release version 13.98.1
Changes and fixes in this release 13.98.1
New functions:
Fixed issues:
Release version 13.98
Changes and fixes in this release 13.98
- Update internal Get-FileHash function (issue #77)
The internal Get-FileHash function has been actually removed from the module and the minimum PS version required to run this module has been increased from 3.0 to 4.0.
Release version 13.95
Changes and fixes in this release 13.95
-
Add support for user shell folders (issue #58)
-
Adding a -Raw parameter (issue #56)
The output is the result of the core private function Get-PSRawAutoRun. This is the way artifacts are being read. There are no modification or any attempt to "prettify" anything. It's incompatible with the -ShowFileHash and -VerifyDigitalSignature parameters.
Get-PSAutorun -Raw | ogv- Handle PowerShell profiles (may not be exhaustive because it depends on the host) (see issue #12 ). A new parameter -PSProfiles parameter has been added for this purpose.
Get-PSAutorun -PSProfiles
Path : C:\Windows\System32\WindowsPowerShell\v1.0
Item : profile.ps1
Category : PowerShell profiles
Value : C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1
ImagePath : C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1- Detect correctly the scheduled task UninstallSMB1ClientTask & UninstallSMB1ServerTask (see issue #62 )
Value : %windir%\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden "& %windir%\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Client"Path : C:\WINDOWS\system32\Tasks\Microsoft\Windows\Conexant\MicTray
Item : MicTray
Category : Task
Value : "C:\Windows\System32\MicTray64.exe"
ImagePath : C:\Windows\System32\MicTray64.exe
Path : C:\WINDOWS\system32\Tasks\Microsoft\Windows\Conexant\SA3
Item : SA3
Category : Task
Value : "C:\Program Files\CONEXANT\SA3\HP-NB-AIO\SACpl.exe" /sa3 /nv:3.0+ /uid:HP-NB-AIO /s /dne
ImagePath : C:\Program Files\CONEXANT\SA3\HP-NB-AIO\SACpl.exe- Detect correctly the scheduled task for the Dropbox binary (see issue #63 )
Value : C:\Users\username\AppData\Local\Dropbox\Update\DropboxUpdate.exe /c
ImagePath : C:\Users\username\AppData\Local\Dropbox\Update\DropboxUpdate.exe
Value : C:\Users\username\AppData\Local\Dropbox\Update\DropboxUpdate.exe /ua /installsource scheduler
ImagePath : C:\Users\username\AppData\Local\Dropbox\Update\DropboxUpdate.exe- Detect correctly the Dropbox binary in the logon category (see issue #64 )
Path : C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Item : Dropbox.lnk
Category : Logon
Value : C:\Users\username\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup
ImagePath : C:\Users\username\AppData\Roaming\Dropbox\bin\Dropbox.exeRelease version 13.94
Changes and fixes in this release 13.94
- Detect correctly the scheduled task Server Manager Performance Monitor (see issue #49)
Value : %systemroot%\system32\rundll32.exe %systemroot%\system32\pla.dll,PlaHost "Server Manager Performance Monitor" "$(Arg0)"
ImagePath : C:\WINDOWS\system32\pla.dll- Detect correctly the scheduled task CleanupOldPerfLogs (see issue #50 )
Value : %systemroot%\system32\cscript.exe /B /nologo %systemroot%\system32\calluxxprovider.vbs $(Arg0) $(Arg1)
ImagePath : C:\WINDOWS\system32\calluxxprovider.vbs- Detect correctly the MSiSCSIInitiatorProvider WMI provider (see issue #51)
Value : %SystemRoot%\System32\iscsiwmi.dll
ImagePath : C:\Windows\System32\iscsiwmi.dll- Detect correctly a driver located in the 32bit Windows path (see issue #52)
Value : SysWow64\drivers\AsUpIO.sys
ImagePath : C:\Windows\SysWow64\drivers\AsUpIO.sys- Partial fix fo the issue #53: wrong imagepath when the service value targets a file w/o extension
Value : C:\Windows\system32\ibtsiva
ImagePath : C:\Windows\system32\ibtsivaRelease version 13.90.1
Changes and fixes in this release 13.90.1
-
Detect subfolders under all
RunOnceExregistry key (see issue #18 ). Splits on pipe character if anything is found. -
Adding new
Userparameter. It's a dynamic parameter.
It scans the Security Identifiers (SID) found under HKEY_USERS and displays them translated to an account name.
A wildcard characted indicates that all SID found under HKEY_USERS will be scanned. TheUserdynamic parameter is not mandatory and by default only the HKCU hive will be scanned.
Release version 13.82.1
Changes and fixes in this release 13.82.1
- Detect drivers and services in C:\ProgramData, regex was wrong (see issue #19)
"C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.18022-0\MsMpEng.exe"- Detect drivers and services in C:\Program Files, regex was wrong (see issue #20)
\??\C:\Program Files\Logitech Gaming Software\Drivers\LgCoreTemp\lgcoretemp.sys-
Add correct imagepath detection of KnownDLLs: Wow64.dll,Wow64cpu.dll,Wow64win.dll (see issue #21)
These files only exist in System32 and wowarmhw.dll is not found on a x64 platform -
Detect Windows Defender scheduled tasks that runs C:\ProgramData....*.exe (see issue #22)
-
Detect file iexplore.exe from htmlfile item in ImageHijacks category (see issue #23)
-
Detect the correct path of unregmp2.exe in Logon category (see issue #24)
-
OfficeAddins have a correct imagepath when HKCU hive is in use (see issue #26)
-
New detection added for persistence using GlobalFlags in Image File Execution Options (see issue #27)
-
Detect drivers and services such as (see issue #30 )
\??\C:\Program Files (x86)\Common Files\BattlEye\BEDaisy.sys- Detect scheduled tasks that run directly a vbscript (see issue #31)
C:\Program Files (x86)\Mirillis\Action!\Action.vbs- Detect scheduled tasks that run directly a .bat file (see issue #32)
"C:\Program Files\action.bat"- Instead of returning the image path of powershell.exe, returns the path of the script launched (see issue #33)
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Exec Bypass -File c:\windows\system32\logoff.ps1-
When ShowFileHash and VerifyDigitalSignature switches are used, don't drop items that have a problem with their ImagePath property because they may be malicious. If the ImagePath has a value and Test-Path doesn't equal true, the object in the pipeline was dropped by the internal Add-PSAutoRunAuthentiCodeSignature function. (see issue #34)
-
Scheduled tasks with multiple programs started are correctly detected. (see issue #36)
-
Fix regular expression so that it detects a script enclosed in quotes (see issue #37)
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -File "C:\Windows\TTest.ps1" -CustomParam-
Fix the case in the regular expression used to detect a scheduled task (see issue #38)
-
Detect services if they are located in c:\packages (see issue #40)
"C:\Packages\Plugins\Microsoft.EnterpriseCloud.Monitoring.MicrosoftMonitoringAgent\1.0.11081.4\MMAExtensionHeartbeatService.exe"- Fix regular expression used to detect a PowerShell script (see issue #41)
%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -File "C:\Program Files\Microsoft Monitoring Agent\Agent\Tools\UpdateOMCert.ps1" -OldCertHash $(OldCertHash) -NewCertHash $(NewCertHash) -EventRecordId $(EventRecordId)