Get started Vitals Queries Policies Software OS settings Data tables

Suspicious autostart

Checks for an autostart that is attempting to load a dynamic link library (DLL) from the internet.

Check

Use the policy below to verify:

SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM startup_items WHERE path = "regsvr32" AND args LIKE "%http%");

$found = $false

    $startupItems = @()


    function Get-RegistryStartupItems {
        $regPaths = @(
            "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
            "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run",
            "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
        )
        foreach ($regPath in $regPaths) {
            if (Test-Path $regPath) {
                try {
                    $props = Get-ItemProperty -Path $regPath -ErrorAction SilentlyContinue
                    foreach ($prop in $props.PSObject.Properties) {
                        if ($prop.Name -notmatch "^PS(Remote)?$" -and $prop.Value -and ($prop.Name -ne "PSPath" -and $prop.Name -ne "PSParentPath" -and $prop.Name -ne "PSChildName" -and $prop.Name -ne "PSDrive" -and $prop.Name -ne "PSProvider")) {
                            $startupItems += $prop.Value
                        }
                    }
                } catch {
                    continue
                }
            }
        }
    }


    function Get-StartupFolderItems {
        $folders = @(
            "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup",
            "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
        )
        $wscript = New-Object -ComObject WScript.Shell
        foreach ($folder in $folders) {
            if (Test-Path $folder) {
                Get-ChildItem -Path $folder -Filter *.lnk -ErrorAction SilentlyContinue | ForEach-Object {
                    try {
                        $shortcut = $wscript.CreateShortcut($_.FullName)
                        $command = $shortcut.TargetPath
                        if ($shortcut.Arguments) {
                            $command += " " + $shortcut.Arguments
                        }
                        $startupItems += $command
                    } catch {
                        continue
                    }
                }
            }
        }
    }


    Get-RegistryStartupItems

    Get-StartupFolderItems


    foreach ($item in $startupItems) {
        if (-not $item) { continue }
        # Remove any surrounding quotes and trim whitespace.
        $item = $item.Trim('"').Trim()
        if ($item.Length -eq 0) { continue }
        # Split into tokens by whitespace.
        $tokens = $item -split "\s+"
        if ($tokens.Count -eq 0) { continue }
        # Get the executable portion and extract the file name without extension.
        $exePath = $tokens[0]
        $exeName = [System.IO.Path]::GetFileNameWithoutExtension($exePath)
        if ($exeName -ieq "regsvr32" -and $item -imatch "http") {
            $found = $true
            break
        }
    }


    if (-not $found) {
        Write-Output "1"
    }