id: autorun-scripts-startup-folder

info:
  name: Autorun Scripts in Startup Folder
  author: princechaddha
  severity: medium
  description: Detect unauthorized scripts or executables in startup folders.
  impact: |
    Unauthorized scripts or executables can lead to the execution of malicious software during system startup.
  remediation: |
    Remove any unauthorized scripts or executables from the startup folder and implement security policies to restrict future unauthorized additions.
  tags: windows,startup,autorun,code,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      Get-ChildItem -Path "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"

    matchers:
      - type: word
        words:
          - ".exe"
          - ".ps1"
# digest: 490a004630440220020df35676350192ecbe812b34b37ae24c5fa4ab43df5ecb0289c9e5ea25dfb902204ee1fd2b3a55297897318f68a131c7fdaa5f814c73e4f2359217201b562cb2ea:922c64590222798bb761d5b6d8e72950