`commandprocautorun`#

$ target-query <path/to/target> -f commandprocautorun

Details#
Module	`os.windows.generic.GenericPlugin`
Output	`records`

Module documentation

Generic Windows plugin.

Provides some plugins that don’t fit in a separate plugin.

Function documentation

Return all available Command Processor (cmd.exe) AutoRun registry key values.

The Command Processor AutoRun registry key values contain commands that are run each time the Command Processor (cmd.exe) is started. Since these commands are not shown to the user in the Command Processor, it can be exploited by an adversary to hide malicious commands or leverage as a persistence mechanism

References:

https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc779439%28v=ws.10%29?redirectedfrom=MSDN

commandprocautorun#

`commandprocautorun`#