PowerShell: Malware detection and tracking of new autoruns
Old Project realized
A month ago I reinstalled one of my PC’s and thought of a project I started but never finished many years ago. It was when I found out about autorunsc.exe , one of the many awesome tools from the Sysinternals suite and the creatorMark Russinovich, when I thought of an idea to keep track of all additions to my Windows installation. Any additions to it that had any effect on my boot process or that started any processes at startup. With this information I would be able to determine when I had additions I didn’t approved nor expected. Then I could simple remove these binaries or uninstall the guilty application.
Now, I have a slightly different approach. Besides catching all additions to the auto-runs in my Windows installation I also would like to know what executables are signed or not and if these could be a threat to me. I’m thinking of malware and vicious code. I think autorunsc.exe can do a fantastic job here with all its features, especially with some of the new features and the combination with another awesome tool, also from Sysinternals, Sigcheck.
Some of the things Autorunsc do:
- List all drivers, processes, scheduled tasks, boot drivers , logon startups and auto-runs.
- Check if the image of the executable is signed or not.
- Check the hash of the image.
Link to Autoruns : https://technet.microsoft.com/en-us/sysinternals/bb963902
Some of the things SigCheck do:
- Verify signatures.
- Check the image against Virus Total, a free online virus, malware and URL Scanner.
Link to SigCheck: https://technet.microsoft.com/en-us/sysinternals/bb897441
With a combination of both:
Scan my entire system auto-runs against Virus Total, i.e. the things Autorunsc.exe collects:
- Boot execute.
- Codecs.
- Appinit DLLs.
- Explorer addons.
- Sidebar gadgets (Vista and higher)
- Image hijacks.
- Internet Explorer addons.
- Known DLLs.
- Logon startups (this is the default).
- WMI entries.
- Winsock protocol and network providers.
- Office addins.
- Printer monitor DLLs.
- LSA security providers.
- Autostart services and non-disabled drivers.
- Scheduled tasks.
- Winlogon entries.
Powershell – There’s nothing PowerShell can’t do!
Powershell comes to help once again. By using PowerShell I built a wrapper around these two Sysinternals tools (Autrunsc.exe and SigCheck.exe) plus some GUI to provide you with notifications when you got new binaries on your system.
The processs:
- Use Scheduled Tasks to run the script at:
- Boot(Analyze autoruns) .
- User Logon (Notifications).
- One Powershell script that does all the job.
- The script scan the machine with Autorunsc.exe.
- Generates CSV output.
- Compares CSV inbetween boots.
- The script finds any differences.
- The script sends the user notifications when:
- New Unsigned Non-Microsoft Binaries added.
- New Unsigned Microsoft Binaries added.
- Files with New Hash and Unsigned Binaries added.
- New Non-Microsoft Binaries added.
- New Microsoft Binaries added.
- Provide a UI to see the added files and a summary.
- With the list of additions you can run a check against Virus Total.
The value this script provides
- Scan the entire system auto-runs with Virus Total.
- Creates an offline file for scanning entire system auto-runs with Virus Total, when no internet is available.
- Notifications when additions to the system are added.
- A Summary of additions over every boot.
- Summary of current additions with information about what kind of modifications done.
Requirements
These are the requirements.
- PowerShell
- Sysinternals Autorunsc v13.51 (or newer) – Autostart program viewer.
- Sysinternals Sigcheck v2.50 (or newer) – File version and signature viewer.
- Internet connection if you will run a check against Virus Total.
- Important! Once run Sigcheck -v <any file> and accept the agreement with Virus Total, if you do agree of cause :).
- Important! Agree to Autorunsc.exe EULA.
- Important! Agree to SigCheck.exe EULA.
Run the PowerShell script once and it will prompt you with the option to agree to the EULA and to use Virus Total.
Tip! : I would recommend the nice script Update-sysinternals.ps1 to keep your Sysinternals tools updated.
Modify the following command in the script to something like this.
Update-Sysinternalshttp -ToolsLocalDir “c:\Sysinternals”
https://gallery.technet.microsoft.com/scriptcenter/Another-Sysinternals-Tools-aa288439
Config
To run this you have to put these two files, Autorunsc.exe and SigCheck.exe, in a folder on your drive, the expected path is C:\Sysinternals but it’s configurable.
1. First run must include the “-Analyze” switch . This is needed after each boot since it will collect all auto-runs.
Verify-Autoruns.ps1 -Analyze
Or
Verify-Autoruns.ps1 -Analyze -Dir <folder path to Autorunsc.exe and SigCheck.exe>
2. Once we have collected data we can run the script without scanning if we just want to get notifications and summary
Verify-Autoruns.ps1
Or if we want notifications even if nothing has happend:
Verify-Autoruns.ps1 -Icon
I also suggest you put the script in the same directory, but it is not a requirement ,though it must be configured in the scheduled task.
You can schedule a task in that runs at every boot.
This is the action for the task:
Program: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Arguments: -ExecutionPolicy Unrestricted -File “C:\Sysinternals\Verify-Autoruns.ps1” “-Analyze”
If you want you can just import the exported Scheduled Task provided : Verify Autoruns – Analyze Boot.xml included in the attached file VerifyAutoruns_ScheduledTaskExports.zip
You can also schedule a task in that runs at every logon to provide the user that logons with notifications.
Program: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Arguments: -Nologo -WindowStyle Hidden -ExecutionPolicy Unrestricted -File “C:\Sysinternals\Verify-Autoruns.ps1” “-Icon”
If you want you can just import the exported Scheduled Task provided : Verify Autoruns – Verify.xml included in the attached file VerifyAutoruns_ScheduledTaskExports.zip
Output from Verify-Autoruns
What will this powershell script generate:
- A CSV file with all the autoruns on the system in a folder called C:\AutorunsLogs (Can be customized). Example: AutorunsC_20160210-0925.csv
Verify-Autoruns.ps1 -LogDir <folder path to all logs>
- A CSV file with any new files added . This will require that you have at least two boot scans created, there’s only going to be one file for each boot. Example file: AutorunsC_New_20160210-0950.csv
- A CSV file with the collected summary of all added files, i.e. the contents of all AutorunsC_New.. files.
- SigCheck input CSV file for offline systems that can not access to internet. This file can be moved and run on internet connected systems for checking with Virus Total.
- Notifications Icon.
- Ballon Notifications.
- Report Window.
- Summary Window.
Notifications Icon
This Shield icon in the task bar let you access three things:
- The Report Window.
- The Summary of the last run.
- Windows Reliability Monitor (This tool can provide you with events on your system that might have caused one of the additions to the auto-runs)
Balloon Notifications
The following notifications are fired at detection. This will require that you have at least two boot scans created, there’s only going to be one file for each boot.
- New Non-Microsoft Files that are not signed
- Files with new Hash that are not signed
- New Microsoft files that are not signed
- New Non-Microsoft files added
- New Microsoft files added
Report Window
Here can you view the files added to autoruns. You can also:
- View a summary of the last boot.
- View the logfile.
- Check the new files against Virus Total. Requires Internet. (Requires SigCheck.exe ver 2.50 in the same folder as Autorunsc.exe).
- Check all current autoruns against Virus Total .Requires Internet. (This might take a while).
Summary Window
This list shows the results from the latest analysis.
Virus Total Check Window
This is a table with the results from Virus Total. The column VT Detection will let you know the detection ratio. How many indications of the binary to be “unsecure” in ratio with the number of sources of information.
This picture shows the Virus Total outcome of the new addtions to Windows from the latest boot.
Scan the entire systems auto-runs against Virus Total
If you like to scan all binaries that the system runs at boot and startup you can do it from the Report Window, just click “Check All System Autoruns with Virus Total“, or you can do it directly from the Powerhshell command line.
Command:
PS C:\Sysinternals> .\Verify-Autoruns.ps1 -SystemCheck
This action might take a while since there are many files to be checked over internet.
Or if no internet connection is possible:
PS C:\Sysinternals> .\Verify-Autoruns.ps1 -SystemCheck -Offline
The output from this command can be used with SigChekc on a internet connected system like this:
SigCheck.exe -o -v VTInput.csv > VTResult.csv
This output will file contain the VT Detection ratio for each file. It’s a CSV file that’s best suitable for opening in Excel or similar.
Summary
With this script running on my PC’s I can easily determine all the auto-runs added, even over time. But the coolest feature according to me is that you can scan the entire systems auto-runs against Virus Total online or offline.
This script does of course not replace any antivirus or malware software. I use it on all my PC’s as an additional control and nice to have.
The script is available at TechNet Script Center here.