Anyone know of a tool that can collect the hash of autorun locations as thorough as Mark Russinovich's autoruns tool? I thought it would be nice to have that level of detail reported to Splunk on all systems to check for badness in Virustotal, find the low hanging malware fruit.
Since I enjoy learning python and powershell, I put together a GRR python_hack which launches autorunsc.exe and sends the output to Splunk. With GRR Rapid Response you can launch this as a hunt on all hosts.
Full script is on github, here's a breakdown of what I (and thanks to the folks at stackoverflow.com) put together.
Process flow:
- GRR python hack decodes, unzip then writes autorunsc.exe to target host
- Python hack then executes powershell encoded command
- Powershell command runs autorunsc.exe and reports specified details to event log via Write-EventLog where your log collector will pickup and forward on to your SIEM
I encoded autorunsc.exe and the powershell script (b64Powershell variable) using this:
$data = { powershell script here }For the binary file I used powershell get-content and assigned that output to $data
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($data)
$EncodedData =[Convert]::ToBase64String($Bytes)$EncodedData
There are more fields available from autorunsc.exe, but for the purpose of checking hashes in Virustotal, i'm interested in SHA256, location, path and signer. Each of those values returned by autorunsc will be appended with "Field=" so its easier to work with in Splunk. Example query to view results:
index=windows GRR EventID=187 | table Workstation hash Location Path Signer
Now that you have all the hashes of autorun's in your SIEM, you can pipe those hashes to a Virustotal Splunk app and find some low hanging malware fruit!
