Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Device management + MDM Orchestration + monitoring Software management + CVEs, usage, app library Integrations
Docs
Stories
What people are saying News Ask around Take a tour Meetups COMPANY Origins   (Fleet & osquery) The handbook Logos/artwork Why open source?
Pricing Try it yourself
Suspicious autostart

Suspicious autostart

Checks for an autostart that is attempting to load a dynamic link library (DLL) from the internet.

Control

Create or edit a configuration profile with the following information:

Create or edit the following script and configure it to run when the check fails:

Check

Use the policy below to verify:

SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM startup_items WHERE path = "regsvr32" AND args LIKE "%http%");
$found = $false

    $startupItems = @()


    function Get-RegistryStartupItems {
        $regPaths = @(
            "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
            "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run",
            "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
        )
        foreach ($regPath in $regPaths) {
            if (Test-Path $regPath) {
                try {
                    $props = Get-ItemProperty -Path $regPath -ErrorAction SilentlyContinue
                    foreach ($prop in $props.PSObject.Properties) {
                        if ($prop.Name -notmatch "^PS(Remote)?$" -and $prop.Value -and ($prop.Name -ne "PSPath" -and $prop.Name -ne "PSParentPath" -and $prop.Name -ne "PSChildName" -and $prop.Name -ne "PSDrive" -and $prop.Name -ne "PSProvider")) {
                            $startupItems += $prop.Value
                        }
                    }
                } catch {
                    continue
                }
            }
        }
    }


    function Get-StartupFolderItems {
        $folders = @(
            "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup",
            "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
        )
        $wscript = New-Object -ComObject WScript.Shell
        foreach ($folder in $folders) {
            if (Test-Path $folder) {
                Get-ChildItem -Path $folder -Filter *.lnk -ErrorAction SilentlyContinue | ForEach-Object {
                    try {
                        $shortcut = $wscript.CreateShortcut($_.FullName)
                        $command = $shortcut.TargetPath
                        if ($shortcut.Arguments) {
                            $command += " " + $shortcut.Arguments
                        }
                        $startupItems += $command
                    } catch {
                        continue
                    }
                }
            }
        }
    }


    Get-RegistryStartupItems

    Get-StartupFolderItems


    foreach ($item in $startupItems) {
        if (-not $item) { continue }
        # Remove any surrounding quotes and trim whitespace.
        $item = $item.Trim('"').Trim()
        if ($item.Length -eq 0) { continue }
        # Split into tokens by whitespace.
        $tokens = $item -split "\s+"
        if ($tokens.Count -eq 0) { continue }
        # Get the executable portion and extract the file name without extension.
        $exePath = $tokens[0]
        $exeName = [System.IO.Path]::GetFileNameWithoutExtension($exePath)
        if ($exeName -ieq "regsvr32" -and $item -imatch "http") {
            $found = $true
            break
        }
    }


    if (-not $found) {
        Write-Output "1"
    }
An icon indicating that this section has important information

PowerShell commands are currently work in progress, contributions welcome.

An icon indicating that this section has important information

Bash commands are currently work in progress, contributions welcome.

Platform

macOSmacOS/apple

WindowsWindows

LinuxLinux

ChromeOSChromeOS

Docs REST API Guides A pencil iconEdit page