![]() The image above shows the unsigned ASEPs on the two hosts, aggregated by ImagePath and LaunchString. Same as previous, but filters out signed code.Ī picture is worth a few words, here's a sample of output for the previous analysis script for data from a couple systems: ![]() Get-ASEPImagePathLaunchStringUnsignedStack.ps1 Returns frequency count of ASEPs aggregated on ImagePath and LaunchString. Returns frequency count of ASEPs aggregated on ImagePath, LaunchString and code signer. Get-ASEPImagePathLaunchStringPublisherStack.ps1 Same as previous stacker, but filters out signed ASEPs. Get-ASEPImagePathLaunchStringMD5UnsignedStack.ps1 Returns a frequency count of ASEPs aggregating on ImagePath, LaunchString and MD5 hash. Get-ASEPImagePathLaunchStringMD5Stack.ps1 Runs Sysinternals Autorunsc.exe with arguments to collect all ASEPs (that Autoruns knows about) across all user profiles, includes ASEP hashes, code signing information (Publisher) and command line arguments (LaunchString).Ĭurrent analysis scripts for Get-Autoruns.ps1 data: In the interest of keeping posts to reasonable lengths, I'll limit the scope of each post to a small number of modules or collectors. Auto Start Extension Points or ASEP data (persistence mechanisms).I'm seeking more ideas for analysis scripts to package with Kansa and am hopeful that you will submit comments with novel, implementable ideas.Įxisting modules can be divided into three categories: As of this writing there are 18 modules, with some overlap between them. With the "Trailer Park" release of Kansa marking a milestone for the core framework, I'm turning my focus to analysis scripts for data collected by the current set of modules.
0 Comments
Leave a Reply. |