https://github.com/Telindus-CSIRT/volatility3-autoruns

Port of tomchop's autoruns plugin for Volatility 3
https://github.com/Telindus-CSIRT/volatility3-autoruns

Last synced: 3 months ago
JSON representation

Port of tomchop's autoruns plugin for Volatility 3

• Host: GitHub
• URL: https://github.com/Telindus-CSIRT/volatility3-autoruns
• Owner: Telindus-CSIRT
• License: gpl-2.0
• Created: 2021-07-01T13:18:53.000Z (over 3 years ago)
• Default Branch: main
• Last Pushed: 2022-04-27T07:30:52.000Z (almost 3 years ago)
• Last Synced: 2024-08-02T03:07:30.189Z (6 months ago)
• Language: Python
• Size: 29.3 KB
• Stars: 8
• Watchers: 4
• Forks: 2
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-volatility - Autoruns - Finding persistence points (also called "Auto-Start Extensibility Points", or ASEPs) is a recurring task of any investigation potentially involving malware. (Port of tomchop's autoruns plugin for Volatility 3) (Volatility 3 / Plugins)

README

        
# Volatility3 Autoruns plugin

Port of tomchop's autoruns plugin for Volatility 3

This plugin has been tested using tomchop's own test_data image and does match the expected output.

## How-to

Drop the autorun.py file in the ```plugins/windows``` directory of volatility 3. Volatility should automatically detect it, then call it by typing ```windows.autorun.Autoruns```

Here are the available options for this plugin:

```--verbose``` Shows extra information that would normally be filtered (like Services from the System32 folder)

```--asep=autoruns services appinit winlogon tasks activesetup``` - Use it to focus on specific ASEPS. Options are: autoruns (Run, RunOnce, etc.), services, appinit, winlogon, tasks, and activesetup. You can specify any combination of them with a space-separated list: autoruns services. Leave blank to get all ASEPs.

## Special thanks

Special thanks to tomchop for making the plugin available for the community.