Last active
May 1, 2019 17:32
-
-
Save nullbind/78a7ae2f0a168c8c9cb3cf9fdbf08117 to your computer and use it in GitHub Desktop.
Invoke-HuntRegAutoruns.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # use this with powershell remote sessions | |
| # New-PSDrive -PSProvider ActiveDirectory -Name RemoteADS -Root "" -Server a.b.c.d -credential domain\user | |
| # cd RemoteADS: | |
| # Get-ADComputer -Filter * -Properties name | select @{Name="ComputerName";Expression={$_."name"}} | New-PSSession | |
| # Get-PSSession | Invoke-Command -FilePath C:\Invoke-HuntRegAutoruns.ps1 | |
| # $Results = Get-PSSession | Invoke-Command -FilePath C:\Invoke-HuntRegAutoruns.ps1 | |
| # $ScriptBlock = "ps code" | |
| # Invoke-Command -Session (Get-PSSession) -ScriptBlock {$ScriptBlock} | |
| # Invoke-Command -Session (Get-PSSession) -FilePath C:\Invoke-HuntRegAutoruns.ps1 | |
| # $Results | Export-Csv -Notypeinformation results.csv | |
| function Invoke-HuntRegistryAutorun { | |
| # Data Table for target keys | |
| $TargetKeys = New-Object System.Data.DataTable | |
| $TargetKeys.Columns.Add('RegPath') | Out-Null | |
| $TargetKeys.Rows.Add('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\') | Out-Null | |
| $TargetKeys.Rows.Add('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\') | Out-Null | |
| # Data table for results | |
| $TableResults = New-Object System.Data.DataTable | |
| $TableResults.Columns.Add('PsPath') | Out-Null | |
| $TableResults.Columns.Add('PsParentPath') | Out-Null | |
| $TableResults.Columns.Add('PsChildName') | Out-Null | |
| $TableResults.Columns.Add('Property') | Out-Null | |
| $TableResults.Columns.Add('Value') | Out-Null | |
| # Get items in in path | |
| $TargetKeys | | |
| ForEach-Object { | |
| # Get key path | |
| $RegPath = $_.RegPath | |
| # Get auto run application paths | |
| $RegPropertiesDynamic = Get-ItemProperty $RegPath -ErrorAction SilentlyContinue | gm | Where-Object MemberType -like 'NoteProperty' | | |
| Where-Object name -notlike 'PSPath' | | |
| Where-Object name -notlike 'PSProvider' | | |
| Where-Object name -notlike 'PSParentPath' | | |
| Where-Object name -notlike 'PSChildName' | | |
| Where-Object name -notlike 'PSDrive' | | |
| Where-Object name -notlike 'PSPath' | |
| $RegPropertiesStatic = Get-ItemProperty $RegPath -ErrorAction SilentlyContinue | |
| $RegPsPath = $RegPropertiesStatic.PsPath | |
| $RegPsParentPath = $RegPropertiesStatic.PsParentPath | |
| $RegPsChildName = $RegPropertiesStatic.PsChildName | |
| # Build results list | |
| $RegPropertiesDynamic | | |
| ForEach-Object { | |
| [string]$RegName = $_.Name | |
| $ResultValue = Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\' -Name $RegName | select "$RegName" -ExpandProperty "$RegName" | |
| $TableResults.Rows.Add($RegPsPath,$RegPsParentPath,$RegPsChildName,$RegName,$ResultValue) | Out-Null | |
| } | |
| } | |
| $TableResults | |
| } | |
| # Run function | |
| Invoke-HuntRegistryAutorun | |
| <# | |
| $TargetKeys.Rows.Add('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\') | Out-Null | |
| $TargetKeys.Rows.Add('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\') | Out-Null | |
| $TargetKeys.Rows.Add('HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run') | Out-Null | |
| $TargetKeys.Rows.Add('HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce') | Out-Null | |
| $TargetKeys.Rows.Add('HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\') | Out-Null | |
| $TargetKeys.Rows.Add('HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\') | Out-Null | |
| $TargetKeys.Rows.Add('HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\') | Out-Null | |
| $TargetKeys.Rows.Add('HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\') | Out-Null | |
| $TargetKeys.Rows.Add('HKCR:\txtfile\shell\open\command\') | Out-Null | |
| $TargetKeys.Rows.Add('HKLM:\SOFTWARE\Classes\.txt\ShellNew\') | Out-Null | |
| $TargetKeys.Rows.Add('HKLM:\Software\Microsoft\Active Setup\Installed Components\') | Out-Null | |
| $TargetKeys.Rows.Add('HKCU:\Software\Microsoft\Active Setup\Installed Components\') | Out-Null | |
| $TargetKeys.Rows.Add('HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\') | Out-Null | |
| $TargetKeys.Rows.Add('HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\') | Out-Null | |
| $TargetKeys.Rows.Add('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad') | Out-Null | |
| $TargetKeys.Rows.Add('HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad') | Out-Null | |
| $TargetKeys.Rows.Add('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\') | Out-Null | |
| $TargetKeys.Rows.Add('HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\') | Out-Null | |
| $TargetKeys.Rows.Add('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Run\') | Out-Null | |
| $TargetKeys.Rows.Add('HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Run\') | Out-Null | |
| $TargetKeys.Rows.Add('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Shell\') | Out-Null | |
| $TargetKeys.Rows.Add('HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Shell\') | Out-Null | |
| $TargetKeys.Rows.Add('HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\') | Out-Null | |
| $TargetKeys.Rows.Add('HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\') | Out-Null | |
| $TargetKeys.Rows.Add('HKLM:\System\CurrentControlSet\Control\Session Manager') | Out-Null | |
| $TargetKeys.Rows.Add('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\') | Out-Null | |
| $TargetKeys.Rows.Add('HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\') | Out-Null | |
| $TargetKeys.Rows.Add('HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced') | Out-Null | |
| $TargetKeys.Rows.Add('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks') | Out-Null | |
| $TargetKeys.Rows.Add('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler') | Out-Null | |
| $TargetKeys.Rows.Add('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers') | Out-Null | |
| $TargetKeys.Rows.Add('HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers') | Out-Null | |
| $TargetKeys.Rows.Add('HKLM:\SYSTEM\CurrentControlSet\Control\SafeBoot\') | Out-Null | |
| $TargetKeys.Rows.Add('HKLM:\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\') | Out-Null | |
| $TargetKeys.Rows.Add('HKLM:\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\') | Out-Null | |
| $TargetKeys.Rows.Add('HKCU:\Control Panel\Desktop') | Out-Null | |
| $TargetKeys.Rows.Add('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\') | Out-Null | |
| $TargetKeys.Rows.Add('HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\') | Out-Null | |
| $TargetKeys.Rows.Add('HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\') | Out-Null | |
| $TargetKeys.Rows.Add('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\') | Out-Null | |
| $TargetKeys.Rows.Add('HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\') | Out-Null | |
| $TargetKeys.Rows.Add('HKLM:\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\') | Out-Null | |
| $TargetKeys.Rows.Add('HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\') | Out-Null | |
| $TargetKeys.Rows.Add('HKLM:\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\') | Out-Null | |
| #> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment