Applications that will be started up from the various run key locations.
name: Windows.Sys.StartupItems
description: |
Applications that will be started up from the various run key
locations.
reference:
- https://docs.microsoft.com/en-us/windows/desktop/setupapi/run-and-runonce-registry-keys
parameters:
- name: AlsoUpload
type: bool
description: If set we also upload the files in the startup folders
- name: runKeyGlobs
type: csv
default: |
KeyGlobs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*\*
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run*\*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run*\*
HKEY_USERS\*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*\*
HKEY_USERS\*\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run*\*
HKEY_USERS\*\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run*\*
- name: startupApprovedGlobs
type: csv
default: |
KeyGlobs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\**
HKEY_USERS\*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\**
- name: startupFolderDirectories
type: csv
default: |
FileGlobs
C:/ProgramData/Microsoft/Windows/Start Menu/Programs/Startup/**
C:/Users/*/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/**
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
LET approved <=
SELECT Name as ApprovedName,
encode(string=Data, type="hex") as Enabled
FROM glob(globs=startupApprovedGlobs.KeyGlobs,
accessor="registry")
WHERE Enabled =~ "^0[0-9]0+$"
LET registry_runners = SELECT Name,
OSPath, Data.value as Details,
if(
condition={
SELECT Enabled from approved
WHERE Name = ApprovedName
},
then="enabled", else="disabled") as Enabled,
"" AS Upload
FROM glob(
globs=runKeyGlobs.KeyGlobs,
accessor="registry")
LET enrich_file(OSPath) = SELECT * FROM switch(
ini={
SELECT regex_replace(re="[^0-9a-z_]", replace=".",
source=read_file(filename=OSPath, length=1024)) AS Details
FROM scope()
WHERE OSPath.Basename =~ ".(bat|ini|ps1)$"
}, lnk={
SELECT {
SELECT SourceFile, ShellLinkHeader, LinkInfo, LinkTarget, StringData, ExtraData
FROM Artifact.Windows.Forensics.Lnk(TargetGlob=OSPath)
} as Details
FROM scope()
}, default={
SELECT hash(path=OSPath) AS Details
FROM scope()
})
LET file_runners =
SELECT Name, OSPath,
enrich_file(OSPath=OSPath)[0].Details AS Details,
"enable" as Enabled,
if(condition=AlsoUpload, then=upload(file=OSPath)) AS Upload
FROM glob(globs=startupFolderDirectories.FileGlobs)
SELECT *
FROM chain(
first=registry_runners,
second=file_runners)