Implement initial detection and data structures for suspicious artifacts

internal/pkg/hunt/detect/autorun/autorun.go

@@ -0,0 +1,170 @@
+package autorun
+
+import (
+	"fmt"
+	"rmm-hunter/internal/pkg/hunt/detect/common"
+	. "rmm-hunter/internal/suspicious"
+	"strings"
+
+	"golang.org/x/sys/windows/registry"
+)
+
+func Detect() []AutoRun {
+	var suspiciousAutoRuns []AutoRun
+
+	fmt.Printf("[*] Enumerating AutoRun Applications\n")
+
+	// Check common autorun registry locations
+	autorunKeys := []string{
+		`SOFTWARE\Microsoft\Windows\CurrentVersion\Run`,
+		`SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce`,
+		`SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run`,
+		`SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce`,
+		`SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices`,
+		`SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce`,
+		`SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run`,
+		`SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit`,
+		`SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell`,
+		`SOFTWARE\Microsoft\Active Setup\Installed Components`,
+	}
+
+	// Check both HKLM and HKCU
+	roots := []registry.Key{registry.LOCAL_MACHINE, registry.CURRENT_USER}
+	rootNames := []string{"HKLM", "HKCU"}
+
+	totalEntries := 0
+	for i, root := range roots {
+		for _, keyPath := range autorunKeys {
+			entries := checkAutoRunKey(root, keyPath, rootNames[i])
+			totalEntries += len(entries)
+			suspiciousAutoRuns = append(suspiciousAutoRuns, entries...)
+		}
+	}
+
+	fmt.Printf("   [>] Dispositioning %d AutoRun Entries\n", totalEntries)
+	fmt.Printf("[+] Found %d Suspicious AutoRun Applications\n", len(suspiciousAutoRuns))
+
+	return suspiciousAutoRuns
+}
+
+func checkAutoRunKey(root registry.Key, keyPath, rootName string) []AutoRun {
+	var autoRuns []AutoRun
+
+	key, err := registry.OpenKey(root, keyPath, registry.QUERY_VALUE)
+	if err != nil {
+		return autoRuns
+	}
+	defer key.Close()
+
+	valueNames, err := key.ReadValueNames(-1)
+	if err != nil {
+		return autoRuns
+	}
+
+	for _, valueName := range valueNames {
+		value, _, err := key.GetStringValue(valueName)
+		if err != nil {
+			continue
+		}
+
+		// Check if this autorun entry matches any known Suspicious patterns
+		if isSuspiciousAutoRun(valueName, value) {
+			// Analyze the executable path for additional suspicious indicators
+			isPathSuspicious, pathReason := analyzeExecutablePath(value)
+			description := extractDescription(value)
+			if isPathSuspicious {
+				description += fmt.Sprintf(" [%s]", pathReason)
+			}
+
+			fmt.Printf("   [?] Found %s\\%s: %s = %s\n", rootName, keyPath, valueName, value)
+			autoRuns = append(autoRuns, AutoRun{
+				Name:        valueName,
+				Command:     value,
+				Location:    fmt.Sprintf("%s\\%s", rootName, keyPath),
+				Enabled:     true,
+				Description: description,
+			})
+		}
+	}
+
+	return autoRuns
+}
+
+func isSuspiciousAutoRun(name, command string) bool {
+	// Convert to lowercase for case-insensitive comparison
+	nameLower := strings.ToLower(name)
+	commandLower := strings.ToLower(command)
+
+	// Check against known Suspicious names
+	for _, rmm := range common.CommonRMMs {
+		rmmLower := strings.ToLower(rmm)
+		if strings.Contains(nameLower, rmmLower) || strings.Contains(commandLower, rmmLower) {
+			return true
+		}
+	}
+
+	// Check against common Suspicious executable patterns
+	for _, imageEnd := range common.CommonImageEnds {
+		imageEndLower := strings.ToLower(imageEnd)
+		if strings.Contains(commandLower, imageEndLower) {
+			return true
+		}
+	}
+
+	// Additional suspicious patterns
+	suspiciousPatterns := []string{
+		"remote", "control", "assist", "support", "vnc", "rdp", "teamview",
+		"anydesk", "logmein", "screenconnect", "splashtop", "ultravnc",
+	}
+
+	for _, pattern := range suspiciousPatterns {
+		if strings.Contains(nameLower, pattern) || strings.Contains(commandLower, pattern) {
+			return true
+		}
+	}
+
+	return false
+}
+
+func extractDescription(command string) string {
+	// Extract just the executable name from the command
+	parts := strings.Fields(command)
+	if len(parts) > 0 {
+		return parts[0]
+	}
+	return command
+}
+
+func analyzeExecutablePath(command string) (bool, string) {
+	// Extract executable path from command
+	var execPath string
+	if strings.HasPrefix(command, "\"") {
+		// Handle quoted paths
+		endQuote := strings.Index(command[1:], "\"")
+		if endQuote != -1 {
+			execPath = command[1 : endQuote+1]
+		}
+	} else {
+		// Handle unquoted paths
+		parts := strings.Fields(command)
+		if len(parts) > 0 {
+			execPath = parts[0]
+		}
+	}
+
+	// Check for suspicious installation paths
+	suspiciousPaths := []string{
+		"\\temp\\", "\\tmp\\", "\\appdata\\local\\temp\\",
+		"\\users\\public\\", "\\programdata\\",
+		"\\windows\\temp\\", "\\%temp%\\",
+	}
+
+	execPathLower := strings.ToLower(execPath)
+	for _, suspPath := range suspiciousPaths {
+		if strings.Contains(execPathLower, suspPath) {
+			return true, fmt.Sprintf("Suspicious installation path: %s", suspPath)
+		}
+	}
+
+	return false, ""
+}

internal/pkg/hunt/detect/autorun/autorun_test.go

@@ -0,0 +1,16 @@
+package autorun
+
+import "testing"
+
+func TestAutoRun(t *testing.T) {
+	autoruns := Detect()
+	for _, ar := range autoruns {
+		t.Logf("-----")
+		t.Logf("Name: %s", ar.Name)
+		t.Logf("Command: %s", ar.Command)
+		t.Logf("Location: %s", ar.Location)
+		t.Logf("Enabled: %t", ar.Enabled)
+		t.Logf("Description: %s", ar.Description)
+		t.Logf("-----")
+	}
+}