![]() Note that in Figure 1, Autorunsc.exe provides hashes of the PowerShell.exe binary itself. Below in Figure 1, I’ve run the latest version of Autorunsc.exe and saved the output to a csv file, then loaded that csv file into a PowerShell variable called $data, then I’m dumping the contents of $data for any entry that calls a PowerShell script:įigure 1: Output of Autorunsc.exe for a PowerShell ASEP (Click to enlarge) Get-AutorunscDeep.ps1 goes a step further than Autorunsc.exe alone for common interpreters that execute scripts such as cmd.exe, PowerShell.exe or wscript.exe that may call.As many of you well know, packed binaries are common in malware families and those binaries have higher entropy than many legit binaries, so knowing a file’s entropy can be a useful lead generation tool when dealing with large amounts of data. ![]() Get-AutorunscDeep.ps1 includes code written by my friend (who will be speaking at the SANS 2015 DFIR Summit) that calculates the Shannon Entropy of Autorunsc’s Image Path property. ![]() How so? There are two ways that Get-AutorunscDeep.ps1 improves on Autorunsc.exe alone. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |