Wednesday, October 9, 2019

Enterprise Autorun Collections with autorunsc.exe


Anyone know of a tool that can collect the hash of autorun locations as thorough as Mark Russinovich's autoruns tool? I thought it would be nice to have that level of detail reported to Splunk on all systems to check for badness in Virustotal, find the low hanging malware fruit.

Since I enjoy learning python and powershell, I put together a GRR python_hack which launches autorunsc.exe and sends the output to Splunk. With GRR Rapid Response you can launch this as a hunt on all hosts.

Full script is on github, here's a breakdown of what I (and thanks to the folks at stackoverflow.com) put together.

Process flow:
  • GRR python hack decodes, unzip then writes autorunsc.exe to target host
  • Python hack then executes powershell encoded command
  • Powershell command runs autorunsc.exe and reports specified details to event log via Write-EventLog where your log collector will pickup and forward on to your SIEM
GRR has some weirdness with very long lines, so had to break up the binary in two parts. autorunsc.exe binary is base64 encoded and assigned as autorunscBinary00 and autorunscBinary01. Since the binary is over 2000 lines, they are collapsed in the picture below for easier reading.

I encoded autorunsc.exe and the powershell script (b64Powershell variable) using this:
$data = { powershell script here } 
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($data)
$EncodedData =[Convert]::ToBase64String($Bytes)$EncodedData
For the binary file I used powershell get-content and assigned that output to $data

Here is the decoded powershell command in b64Powershell variable:


There are more fields available from autorunsc.exe, but for the purpose of checking hashes in Virustotal, i'm interested in SHA256, location, path and signer. Each of those values returned by autorunsc will be appended with "Field=" so its easier to work with in Splunk. Example query to view results:
index=windows GRR EventID=187 | table Workstation hash Location Path Signer

Now that you have all the hashes of autorun's in your SIEM, you can pipe those hashes to a Virustotal Splunk app and find some low hanging malware fruit!