AutorunConsole and AutorunCheck

Using AutorunConsole

AutorunConsole provides the ability to load all available Autorun snapshots taken by AutorunCheck and presents an overview of the enclave persistence mechanism distribution, authentication, and other relevant information for security management.

ARConsole

Before using AutorunConsole, there are a few requirements and guidelines to know.

  • All software can be extracted to and executed from a USB storage device.
  • The “Console” PC is the PC that will run AutorunConsole software.
  • AutorunCheck must be run on each endpoint PC with command line parameters to record snapshots of each endpoint PC’s Autorun settings.
  • All endpoint PC Autorun snapshots must be copied to a folder accessible by the Console PC.

Begin using AutorunConsole by unzipping AutorunCheck (both x86 and x64) and AutorunConsole onto a USB storage device. For small networks with only a few PCs or PCs distributed across different networks, the easiest way to start is by walking up to each physical PC, plugging in the USB drive, and executing “autoruncheck.exe -s” with “Run as Administrator” privileges. AutorunConsole saves a snapshot in the execution folder with the PC’s system name. After taking snapshots on each endpoint PC, run AutorunConsole on the Console PC and open the autoruncheck.exe execution folder containing all of the snapshot files.

Using AutorunConsole with Command Line

For larger networks, using command line operations to automate snapshot collection is highly recommended. Before starting, note that you will need to have a network accessible shared folder for AutorunCheck.exe (x86 and x64) and for saving AutorunCheck snapshots of each endpoint PC.

Example command line script for automating snapshot collection across a network:

for /L %i in (1, 1, 254) do @psexec -s -n 4 \192.168.1.%i cmd “Exefolderautoruncheck.exe -s Snapshotfolder”

Notes on the above command line script

  1. Run “snapshot command” on all addresses in network to take Autorun snapshots at each PC with an accessible IP address.
  2. The loop through the “for” is going to count from 1 to 254 and assign that value to the variable %i. Replace 192.168.1. with appropriate network IP address prefix.
  3. You could also run this loop inside another loop to cover more than one octet at a time.
  4. Snapshot command consists of using Microsoft Technet’s psexec.exe. The parameters after psexec.exe instruct it to timeout after 4 seconds if it is unable to connect.
  5. Finally, all of the snapshots of the addressable endpoint PCs should reside at the “Snapshotfolder”. From the AutorunConsole, choose File -> New -> From Folder… from the menu bar and point to this Snapshot folder. AutorunConsole will read all of the snapshots in the folder and present an inter-host autorun distribution for situational awareness.

 

Reference:

  • psexec.exe from Microsoft TechNet https://technet.microsoft.com/en-us/sysinternals/bb897553
  • Finding Evil: Automating Autoruns Analysis