https://github.com/blwhit/autorunhunter
Hunting suspicious and malicious autoruns, looking for malware persistence.
https://github.com/blwhit/autorunhunter
Last synced: 7 days ago
JSON representation
Hunting suspicious and malicious autoruns, looking for malware persistence.
- Host: GitHub
- URL: https://github.com/blwhit/autorunhunter
- Owner: blwhit
- Created: 2025-07-21T17:31:43.000Z (11 months ago)
- Default Branch: main
- Last Pushed: 2025-07-21T19:23:03.000Z (11 months ago)
- Last Synced: 2025-07-21T19:33:41.041Z (11 months ago)
- Language: PowerShell
- Size: 1.38 MB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# AutorunHunter
Hunt suspicious autoruns and potential malware footholds/persistence.
---------------------
PowerShell script that utilizes the Sysinternals Autoruns embedded executable to enumerate and filter autorun entries.
It flags suspicious entries based on:
- Unverified, Revoked, or Missing Signatures
- Known Suspicious Keywords commonly used in malware persistence techniques
Features:
- Export Results: Save findings as CSV, Excel, or display them in the Console
- Custom IOC Search: Add custom strings for detecting known Indicators of Compromise (IOCs)
- Whitelisting: Exclude trusted entries with customizable whitelists
-------------------------
```
[ Synopsis ]
This script enumerates autoruns using Sysinternals Autorunsc.exe,
automatically flags and filters for suspicious entries,
and outputs the findings in console, CSV, or Excel format.
[ Parameters ]
-Include Comma-separated strings to add to known bad list
-Whitelist Key/value pairs to add to global whitelist ("Value" = "Field")
-Console Show suspicious entries in colored console output
-CSV Export suspicious entries to CSV in the specified path or default folder
-XML Export suspicious entries to Excel (.xlsx) via COM automation
-Open Open the exported file(s) after creation
-All Return all entries, disables filtering
-h, -? Show this help message
[ Examples ]
.\AutorunHunter.ps1 -CSV -Console
.\AutorunHunter.ps1 -Include "rundll32,mshta" -Verbose -CSV
.\AutorunHunter.ps1 -Whitelist @{ "Custom Corp" = "Signer"; "Example Inc" = "Entry" } -CSV
```
------------------------------------
Remote Usage:
```powershell
Invoke-Expression (Invoke-WebRequest -Uri "https://raw.githubusercontent.com/blwhit/AutorunHunter/refs/heads/main/AutorunHunter.ps1" -UseBasicP).Content;
```
With Arguments:
```powershell
$scriptContent = (Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/blwhit/AutorunHunter/refs/heads/main/AutorunHunter.ps1' -UseBasicParsing).Content
$scriptBlock = [ScriptBlock]::Create($scriptContent)
& $scriptBlock -CSV # <---- Arguments
```