Malware detection and tracking of new autoruns

SHA256: 673290634561F3DFF3B2564534B76C043089019E9C7DFF18DE52E91BF94F2066

** Fixed spelling errors 2016-02-22

Blog post on the script

http://blogs.technet.com/b/pfesweplat/archive/2016/02/20/powershell-malware-detection-and-tracking-of-new-autoruns.aspx

This is a wrapper around Autorunsc.exe and SigCheck.exe to find added files to autoruns on your system.
You can check these files against Virus Total. This will help you find potential malware or processes that effect your machines performance.

Requirements

These are the requirements.

PowerShell
Sysinternals Autorunsc v13.51 (or newer) - Autostart program viewer
Sysinternals Sigcheck v2.50 (or newer) - File version and signature viewer
Internet connection if you will run a check against Virus Total.
Important! Once run Sigcheck -v <any file> and accept the agreement with Virus Total, if you do agree of cause :). Since the PowerShell code will not prompt you with the option to agree to use Virus Total.
Important! Agree to Autorunsc.exe EULA.
Important! Agree to SigCheck.exe EULA.

Tip! : I would recommend the nice script Update-sysinternals.ps1 to keep your Sysinternals tools updated.

Modify the following command in the script to something like this.

Update-Sysinternalshttp -ToolsLocalDir "c:\Sysinternals"

https://gallery.technet.microsoft.com/scriptcenter/Another-Sysinternals-Tools-aa288439

Config

To run this you have to put these two files, Autorunsc.exe and SigCheck.exe, in a folder on your drive, the expected path is C:\Sysinternals but it's configurable.

1. First run must include the "-Analyze" switch . This is needed after each boot since it will collect all auto-runs.

Verify-Autoruns.ps1 -Analyze

Verify-Autoruns.ps1 -Analyze -Dir <folder path to Autorunsc.exe and SigCheck.exe>

2. Once we have collected data we can run the script without scanning if we just want to get notifications and summary

Verify-Autoruns.ps1

Or if we want notifications even if nothing has happend:

Verify-Autoruns.ps1 -Icon

I also suggest you put the script in the same directory, but it is not a requirement ,though it must be configured in the scheduled task. You can schedule a task in that runs at every boot.

This is the action for the task:

Program: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Arguments: -ExecutionPolicy Unrestricted -File "C:\Sysinternals\Verify-Autoruns.ps1" "-Analyze"

You can also schedule a task in that runs at every logon to provide the user that logons with notifications.

Program: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Arguments: -Nologo -WindowStyle Hidden -ExecutionPolicy Unrestricted -File "C:\Sysinternals\Verify-Autoruns.ps1" "-Icon"

Output from Verify-Autoruns

What will this powershell script generate:

A CSV file with all the autoruns on the system in a folder called C:\AutorunsLogs (Can be customized). Example: AutorunsC_20160210-0925.csv

Verify-Autoruns.ps1 -LogDir <folder path to all logs>

A CSV file with any new files added . This will require that you have at least two boot scans created, there's only going to be one file for each boot. Example file: AutorunsC_New_20160210-0950.csv
A CSV file with the collected summary of all added files, i.e. the contents of all AutorunsC_New.. files.
SigCheck input CSV file for offline systems that can not access to internet. This file can be moved and run on internet connected systems for checking with Virus Total.
Notifications Icon.
Ballon Notifications.
Report Window.
Summary Window.

PowerShell

Edit|Remove

################################################################################################
# Verify-Autoruns.ps1
#
# AUTHOR: Robin Granberg (robin.granberg@microsoft.com)
#
# THIS CODE-SAMPLE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR
# FITNESS FOR A PARTICULAR PURPOSE.
#
# This sample is not supported under any Microsoft standard support program or service.
# The script is provided AS IS without warranty of any kind. Microsoft further disclaims all
# implied warranties including, without limitation, any implied warranties of merchantability
# or of fitness for a particular purpose. The entire risk arising out of the use or performance
# of the sample and documentation remains with you. In no event shall Microsoft, its authors,
# or anyone else involved in the creation, production, or delivery of the script be liable for
# any damages whatsoever (including, without limitation, damages for loss of business profits,
# business interruption, loss of business information, or other pecuniary loss) arising out of
# the use of or inability to use the sample or documentation, even if Microsoft has been advised
# of the possibility of such damages.
################################################################################################
<#-------------------------------------------------------------------------------
<#
.Synopsis
Analyze autoruns and verify with previuos boot.

Requires version 13.51 and above of Autorunsc.exe
Requires version 2.50 and above of SigCheck.exe

.DESCRIPTION
To protect and keep track of new binaries running at start up this script analyses current autoruns with previuos to find new entries or modifcations of your machines autoruns.

.PARAMETER Analyze
Generates a CSV file of the system autoruns in C:\AutrunsLogs by default.

.PARAMETER Prompt
This switch will let use prompt the checks done on screen.

.PARAMETER LogPath
This parameter let you define an option path to where to put and store results. Defaults to C:\AutorunsLogs

.PARAMETER autorunscdir
This parameter let you define an option path to where you store Autorunsc.exe and SigCheck. Defaults to C:\Sysinternals

.PARAMETER NotificationIcon
Use it to get the notifcation icon in the task bar eventhough nothing changed. Normally the notifications icon is displayed only when new things detected.

.PARAMETER SystemCheck
This option let you check the entire systmes autoruns with Virus Total.

.PARAMETER Offline
Check all system autoruns with Virus Total but offline, creates an offline file

.EXAMPLE
.\Verify-Autoruns.ps1

(Requires a analyze CSV file to be created before.)
If there is a previous analyze filed saved of the latest boot a report will be created.
Then a report of differences between the current boot and the previuos boot autoruns will be logged to the log directory.

.EXAMPLE
.\Verify-Autoruns.ps1 -Analyze

This command willl create a new file of all autoruns on the system using Autorunsc.exe
Then a report of differences between the current boot and the previuos boot autoruns will be logged to the log directory.

.EXAMPLE
.\Verify-Autoruns.ps1 -Analyze -Prompt

.EXAMPLE
.\Verify-Autoruns.ps1 -prompt

This command willl create a report of differences between the current boot and the previuos boot autoruns.
The result will be prompted to the powershell prompt

.EXAMPLE
.\Verify-Autoruns.ps1 -SystemCheck

This command will check the entire systmes autoruns with Virus Total and display it in a Window.

.EXAMPLE
.\Verify-Autoruns.ps1 -SystemCheck -Offline

This command will create an offline file to use with SigCheck to check with Virus Total.

.INPUTS
Inputs to this cmdlet (if any)
.OUTPUTS
Output from this cmdlet (if any)
.NOTES
General notes
.COMPONENT
The component this cmdlet belongs to
.ROLE
The role this cmdlet belongs to
.FUNCTIONALITY
The functionality that best describes this cmdlet
#>

################################################################################################ 
# Verify-Autoruns.ps1 
#  
# AUTHOR: Robin Granberg (robin.granberg@microsoft.com) 
# 
# THIS CODE-SAMPLE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED  
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR  
# FITNESS FOR A PARTICULAR PURPOSE. 
# 
# This sample is not supported under any Microsoft standard support program or service.  
# The script is provided AS IS without warranty of any kind. Microsoft further disclaims all 
# implied warranties including, without limitation, any implied warranties of merchantability 
# or of fitness for a particular purpose. The entire risk arising out of the use or performance 
# of the sample and documentation remains with you. In no event shall Microsoft, its authors, 
# or anyone else involved in the creation, production, or delivery of the script be liable for  
# any damages whatsoever (including, without limitation, damages for loss of business profits,  
# business interruption, loss of business information, or other pecuniary loss) arising out of  
# the use of or inability to use the sample or documentation, even if Microsoft has been advised  
# of the possibility of such damages. 
################################################################################################ 
<#------------------------------------------------------------------------------- 
<# 
.Synopsis 
   Analyze autoruns and verify with previuos boot. 
 
   Requires version 13.51 and above of Autorunsc.exe 
   Requires version 2.50 and above of SigCheck.exe 
 
.DESCRIPTION 
   To protect and keep track of new binaries running at start up this script analyses current autoruns with previuos to find new entries or modifcations of your machines autoruns. 
 
.PARAMETER Analyze 
 Generates a CSV file of the system autoruns in C:\AutrunsLogs by default. 
 
.PARAMETER Prompt 
 This switch will let use prompt the checks done on screen. 
 
.PARAMETER LogPath 
 This parameter let you define an option path to where to put and store results. Defaults to C:\AutorunsLogs 
 
 .PARAMETER autorunscdir 
 This parameter let you define an option path to where you store Autorunsc.exe and SigCheck. Defaults to C:\Sysinternals 
 
.PARAMETER NotificationIcon 
 Use it to get the notifcation icon in the task bar eventhough nothing changed. Normally the notifications icon is displayed only when new things detected. 
 
 .PARAMETER SystemCheck 
 This option let you check the entire systmes autoruns with Virus Total. 
   
 .PARAMETER Offline 
 Check all system autoruns with Virus Total but offline, creates an offline file 
 
.EXAMPLE 
      .\Verify-Autoruns.ps1  
       
      (Requires a analyze CSV file to be created before.) 
      If there is a previous analyze filed saved of the latest boot a report will be created. 
      Then a report of differences between the current boot and the previuos boot autoruns will be logged to the log directory. 
 
 
.EXAMPLE 
      .\Verify-Autoruns.ps1 -Analyze 
       
      This command willl create a new file of all autoruns on the system using Autorunsc.exe 
      Then a report of differences between the current boot and the previuos boot autoruns will be logged to the log directory. 
 
.EXAMPLE 
      .\Verify-Autoruns.ps1 -Analyze -Prompt 
 
      This command willl create a new file of all autoruns on the system using Autorunsc.exe 
      Then a report of differences between the current boot and the previuos boot autoruns will be logged to the log directory. 
      The result will be prompted to the powershell prompt 
 
.EXAMPLE 
   .\Verify-Autoruns.ps1 -prompt 
 
   This command willl create a report of differences between the current boot and the previuos boot autoruns. 
   The result will be prompted to the powershell prompt 
 
.EXAMPLE 
   .\Verify-Autoruns.ps1 -SystemCheck 
 
   This command will check the entire systmes autoruns with Virus Total and display it in a Window. 
 
.EXAMPLE 
   .\Verify-Autoruns.ps1 -SystemCheck -Offline 
 
   This command will create an offline file to use with SigCheck to check with Virus Total. 
 
.INPUTS 
   Inputs to this cmdlet (if any) 
.OUTPUTS 
   Output from this cmdlet (if any) 
.NOTES 
   General notes 
.COMPONENT 
   The component this cmdlet belongs to 
.ROLE 
   The role this cmdlet belongs to 
.FUNCTIONALITY 
   The functionality that best describes this cmdlet 
#>