internal/pkg/hunt/detect/autorun/autorun.go

package autorun

import (
	"fmt"
	"rmm-hunter/internal/pkg/hunt/detect/common"
	. "rmm-hunter/internal/suspicious"
	"strings"

	"github.com/Kraken-OffSec/Scurvy/core/autoruns"
)

func Detect() []AutoRun {
	var suspiciousAutoRuns []AutoRun

	fmt.Printf("[*] Enumerating AutoRun Applications\n")

	// Use Scurvy to enumerate autoruns from multiple sources
	autoRuns := autoruns.GetAllAutoruns()
	fmt.Printf("   [>] Dispositioning %d AutoRun Entries\n", len(autoRuns))

	for _, ar := range autoRuns {
		// Map Scurvy autorun to our Suspicious.AutoRun struct
		sar := AutoRun{
			Type:         ar.Type,
			Location:     ar.Location,
			ImagePath:    ar.ImagePath,
			ImageName:    ar.ImageName,
			Arguments:    ar.Arguments,
			MD5:          ar.MD5,
			SHA1:         ar.SHA1,
			SHA256:       ar.SHA256,
			Entry:        ar.Entry,
			LaunchString: ar.LaunchString,
		}

		if isSuspiciousAutoRunEntry(sar) {
			fmt.Printf("   [?] Found %s | %s | %s\n", sar.Location, sar.Entry, sar.ImagePath)
			suspiciousAutoRuns = append(suspiciousAutoRuns, sar)
		}
	}

	fmt.Printf("[+] Found %d Suspicious AutoRun Applications\n", len(suspiciousAutoRuns))
	return suspiciousAutoRuns
}

// isSuspiciousAutoRunEntry determines if an autorun looks like an RMM by
// checking image path/name, location, entry and launch string against
// common RMM indicators and suspicious image suffixes. It also flags
// suspicious installation paths.
func isSuspiciousAutoRunEntry(ar AutoRun) bool {
	// Prepare lowercase fields for matching
	fields := []string{
		strings.ToLower(ar.ImageName),
		strings.ToLower(ar.ImagePath),
		strings.ToLower(ar.Location),
		strings.ToLower(ar.LaunchString),
		strings.ToLower(ar.Entry),
	}

	// Match against known RMM names/keywords
	for _, rmm := range common.CommonRMMs {
		r := strings.ToLower(rmm)
		for _, f := range fields {
			if strings.Contains(f, r) {
				return true
			}
		}
	}

	// Match against common suspicious image suffix/patterns (path or name)
	imgPathLower := strings.ToLower(ar.ImagePath)
	imgNameLower := strings.ToLower(ar.ImageName)
	for _, suf := range common.CommonImageSuffixes {
		s := strings.ToLower(suf)
		if strings.Contains(imgPathLower, s) || strings.Contains(imgNameLower, s) {
			return true
		}
	}

	// Suspicious installation paths
	if suspicious, _ := common.AnalyzeExecutablePath(ar.ImagePath); suspicious {
		return true
	}
	// Consider launch string as a command line too
	if ar.LaunchString != "" {
		if suspicious, _ := common.AnalyzeExecutablePath(ar.LaunchString); suspicious {
			return true
		}
	}

	return false
}
Implement initial detection and data structures for suspicious artifacts 2025-10-10 15:35:17 -04:00			`package autorun`

			`import (`
			`"fmt"`
			`"rmm-hunter/internal/pkg/hunt/detect/common"`
			`. "rmm-hunter/internal/suspicious"`
			`"strings"`

Refactor AutoRun detection to use Scurvy library, enhance suspicious entry checks, and update UI rendering for detailed info 2025-10-11 15:15:35 -04:00			`"github.com/Kraken-OffSec/Scurvy/core/autoruns"`
Implement initial detection and data structures for suspicious artifacts 2025-10-10 15:35:17 -04:00			`)`

			`func Detect() []AutoRun {`
			`var suspiciousAutoRuns []AutoRun`

			`fmt.Printf("[*] Enumerating AutoRun Applications\n")`

Refactor AutoRun detection to use Scurvy library, enhance suspicious entry checks, and update UI rendering for detailed info 2025-10-11 15:15:35 -04:00			`// Use Scurvy to enumerate autoruns from multiple sources`
			`autoRuns := autoruns.GetAllAutoruns()`
			`fmt.Printf(" [>] Dispositioning %d AutoRun Entries\n", len(autoRuns))`

			`for _, ar := range autoRuns {`
			`// Map Scurvy autorun to our Suspicious.AutoRun struct`
			`sar := AutoRun{`
			`Type: ar.Type,`
			`Location: ar.Location,`
			`ImagePath: ar.ImagePath,`
			`ImageName: ar.ImageName,`
			`Arguments: ar.Arguments,`
			`MD5: ar.MD5,`
			`SHA1: ar.SHA1,`
			`SHA256: ar.SHA256,`
			`Entry: ar.Entry,`
			`LaunchString: ar.LaunchString,`
			`}`
Refine AutoRun logging to display key counts, remove redundant entry count log 2025-10-10 17:01:14 -04:00
Refactor AutoRun detection to use Scurvy library, enhance suspicious entry checks, and update UI rendering for detailed info 2025-10-11 15:15:35 -04:00			`if isSuspiciousAutoRunEntry(sar) {`
			`fmt.Printf(" [?] Found %s \| %s \| %s\n", sar.Location, sar.Entry, sar.ImagePath)`
			`suspiciousAutoRuns = append(suspiciousAutoRuns, sar)`
Implement initial detection and data structures for suspicious artifacts 2025-10-10 15:35:17 -04:00			`}`
			`}`

			`fmt.Printf("[+] Found %d Suspicious AutoRun Applications\n", len(suspiciousAutoRuns))`
			`return suspiciousAutoRuns`
			`}`

Refactor AutoRun detection to use Scurvy library, enhance suspicious entry checks, and update UI rendering for detailed info 2025-10-11 15:15:35 -04:00			`// isSuspiciousAutoRunEntry determines if an autorun looks like an RMM by`
			`// checking image path/name, location, entry and launch string against`
			`// common RMM indicators and suspicious image suffixes. It also flags`
			`// suspicious installation paths.`
			`func isSuspiciousAutoRunEntry(ar AutoRun) bool {`
			`// Prepare lowercase fields for matching`
			`fields := []string{`
			`strings.ToLower(ar.ImageName),`
			`strings.ToLower(ar.ImagePath),`
			`strings.ToLower(ar.Location),`
			`strings.ToLower(ar.LaunchString),`
			`strings.ToLower(ar.Entry),`
Implement initial detection and data structures for suspicious artifacts 2025-10-10 15:35:17 -04:00			`}`

Refactor AutoRun detection to use Scurvy library, enhance suspicious entry checks, and update UI rendering for detailed info 2025-10-11 15:15:35 -04:00			`// Match against known RMM names/keywords`
Implement initial detection and data structures for suspicious artifacts 2025-10-10 15:35:17 -04:00			`for _, rmm := range common.CommonRMMs {`
Refactor AutoRun detection to use Scurvy library, enhance suspicious entry checks, and update UI rendering for detailed info 2025-10-11 15:15:35 -04:00			`r := strings.ToLower(rmm)`
			`for _, f := range fields {`
			`if strings.Contains(f, r) {`
			`return true`
			`}`
Implement initial detection and data structures for suspicious artifacts 2025-10-10 15:35:17 -04:00			`}`
			`}`

Refactor AutoRun detection to use Scurvy library, enhance suspicious entry checks, and update UI rendering for detailed info 2025-10-11 15:15:35 -04:00			`// Match against common suspicious image suffix/patterns (path or name)`
			`imgPathLower := strings.ToLower(ar.ImagePath)`
			`imgNameLower := strings.ToLower(ar.ImageName)`
			`for _, suf := range common.CommonImageSuffixes {`
			`s := strings.ToLower(suf)`
			`if strings.Contains(imgPathLower, s) \|\| strings.Contains(imgNameLower, s) {`
Implement initial detection and data structures for suspicious artifacts 2025-10-10 15:35:17 -04:00			`return true`
			`}`
			`}`

Refactor AutoRun detection to use Scurvy library, enhance suspicious entry checks, and update UI rendering for detailed info 2025-10-11 15:15:35 -04:00			`// Suspicious installation paths`
			`if suspicious, _ := common.AnalyzeExecutablePath(ar.ImagePath); suspicious {`
			`return true`
Implement initial detection and data structures for suspicious artifacts 2025-10-10 15:35:17 -04:00			`}`
Refactor AutoRun detection to use Scurvy library, enhance suspicious entry checks, and update UI rendering for detailed info 2025-10-11 15:15:35 -04:00			`// Consider launch string as a command line too`
			`if ar.LaunchString != "" {`
			`if suspicious, _ := common.AnalyzeExecutablePath(ar.LaunchString); suspicious {`
Implement initial detection and data structures for suspicious artifacts 2025-10-10 15:35:17 -04:00			`return true`
			`}`
			`}`

			`return false`
			`}`