-
Notifications
You must be signed in to change notification settings - Fork 1
/
AutorunsAlert.ps1
144 lines (108 loc) · 5 KB
/
AutorunsAlert.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
Function Write-Log {
[CmdletBinding()]
Param(
[Parameter(Mandatory=$False)]
[ValidateSet("INFO","WARN","ERROR","FATAL","DEBUG")]
[String]
$Level = "INFO",
[Parameter(Mandatory=$True)]
[string]
$Message,
[Parameter(Mandatory=$False)]
[string]
$logfile
)
$Stamp = (Get-Date).toString("yyyy/MM/dd HH:mm:ss")
$Line = "$Stamp $Level $Message"
If($logfile) {
Add-Content $logfile -Value $Line
}
Else {
Write-Output $Line
}
}
function Start-FullScan {
param (
$autorunsPath,
$autorunsCsv
)
# Call autorunssc.exe and save output to temp csv.
Write-Log -Level INFO -logfile $CONFIGURATION.ScriptLogFile -Message "Starting autorunsc.exe process"
$proc = Start-Process -FilePath $autorunsPath `
-ArgumentList '-nobanner', '/accepteula', '-a *', '-c', '-s', '*' -RedirectStandardOut $autorunsCsv -WindowStyle hidden -Passthru
$proc.WaitForExit()
Write-Log -Level INFO -logfile $CONFIGURATION.ScriptLogFile -Message "Process autorunsc.exe is done."
# import the temp csv as a powershell object and remove the temp csv.
$autorunsArray = Import-Csv $autorunsCsv
Write-Log -Level INFO -logfile $CONFIGURATION.ScriptLogFile -Message "Importing temp CSV file"
Remove-Item -Path $autorunsCsv -Force
Write-Log -Level INFO -logfile $CONFIGURATION.ScriptLogFile -Message "Deleting temp .csv file"
# return the current state of autoruns configuration as a powershell object.
return $autorunsArray | ConvertTo-Json | ConvertFrom-Json
}
function Compare-Autoruns {
param (
$CurrentAutoruns,
$PreviousAutoruns
)
# comparisons.
$Comparison = Compare-Object -ReferenceObject $PreviousAutoruns -DifferenceObject $CurrentAutoruns -Property "Entry Location", "Entry" -PassThru
return $Comparison
}
function Start-SortComparisonObject {
param (
$ComparisonObject,
$CONFIGURATION
)
# comparisons.
$Comparison = Compare-Object -ReferenceObject $PreviousAutoruns -DifferenceObject $CurrentAutoruns -Property "Entry Location", "Entry" -PassThru
$NewAustoruns = @()
foreach ($item in $Comparison)
{
If ($item.SideIndicator -like "=>"){
$ReportValue = $item | ConvertTo-Json
Write-Log -Level WARN -logfile $CONFIGURATION.AuditLogFile -Message "NEW AUTORUN: "
Add-Content $CONFIGURATION.AuditLogFile -Value $ReportValue
$NewAustoruns += $item
}
If ($item.SideIndicator -like "<=") {
$ReportValue = $item | ConvertTo-Json
Write-Log -Level INFO -logfile $CONFIGURATION.AuditLogFile -Message "Removed persistence item. (Was in the previous autoruns scan, but no longer exists):"
Add-Content $CONFIGURATION.AuditLogFile -Value $ReportValue
}
}
return $NewAustoruns
}
function Update-StateFile {
param (
)
}
# Get Configuration items
$CONFIGURATION = Get-Content -Raw -Path "$PSScriptRoot\configuration.json" | out-string | ConvertFrom-Json
Write-Log -Level INFO -logfile $CONFIGURATION.ScriptLogFile -Message "Autoruns comparison starting."
# Run autorunsc.exe to gather current state.
Write-Log -Level INFO -logfile $CONFIGURATION.ScriptLogFile -Message "Calling Start-FullScan"
$currentAutoruns = Start-FullScan -autorunsCsv $CONFIGURATION.TemporaryCSVFile -autorunsPath $CONFIGURATION.AutorunsExe
# Gather previous state from .json state file.
Write-Log -Level INFO -logfile $CONFIGURATION.ScriptLogFile -Message "Reading previous scan results from .json file"
$previousAutoruns = Get-Content -Raw -Path $CONFIGURATION.StateFile | out-string | ConvertFrom-Json
# Compare.
Write-Log -Level INFO -logfile $CONFIGURATION.ScriptLogFile -Message "Comparing this scan with previous scan"
$ComparisonResult = Compare-Autoruns -CurrentAutoruns $currentAutoruns -PreviousAutoruns $previousAutoruns
# Identify the reportable conditions and return those. (Log all interesting conditions in the function even if not alertable)
Write-Log -Level INFO -logfile $CONFIGURATION.ScriptLogFile -Message "Identifying differences"
$NewAutoruns = Start-SortComparisonObject -ComparisonObject $ComparisonResult -CONFIGURATION $CONFIGURATION
# Update the state file ahead of the next run
Write-Log -Level INFO -logfile $CONFIGURATION.ScriptLogFile -Message "Updating state file"
$currentAutoruns | ConvertTo-Json -depth 100 | Set-Content $CONFIGURATION.StateFile
# If no new alertable conditions are found we are done.
if ($null -eq $NewAutoruns){
Write-Log -Level INFO -logfile $CONFIGURATION.ScriptLogFile -Message "No new autoruns entries identified. Exiting."
exit
}
# Set the notification flag for the user mode process
Write-Log -Level INFO -logfile $CONFIGURATION.ScriptLogFile -Message "Setting notification flag."
Set-Itemproperty -path 'HKCU:\SOFTWARE\AutorunsAlert' -Name 'Alert' -value 1
# Done.
Write-Log -Level INFO -logfile $CONFIGURATION.ScriptLogFile -Message "Issues identified. Flag configured. Exiting."
exit