--- name: analyzing-malware-persistence-with-autoruns description: Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry keys, scheduled tasks, services, drivers, and startup locations on Windows systems. domain: cybersecurity subdomain: malware-analysis tags: - autoruns - persistence - malware-analysis - sysinternals - windows - registry - startup - incident-response mitre_attack: - T1547 - T1053 - T1543 - T1546 version: '1.0' author: mahipal license: Apache-2.0 d3fend_techniques: - Executable Denylisting - Execution Isolation - File Metadata Consistency Validation - Content Format Conversion - File Content Analysis nist_csf: - DE.AE-02 - RS.AN-03 - ID.RA-01 - DE.CM-01 --- # Analyzing Malware Persistence with Autoruns ## Overview Sysinternals Autoruns extracts data from hundreds of Auto-Start Extensibility Points (ASEPs) on Windows, scanning 18+ categories including Run/RunOnce keys, services, scheduled tasks, drivers, Winlogon entries, LSA providers, print monitors, WMI subscriptions, and AppInit DLLs. Digital signature verification filters Microsoft-signed entries. The compare function identifies newly added persistence via baseline diffing. VirusTotal integration checks hash reputation. Offline analysis via -z flag enables forensic disk image examination. ## When to Use - When investigating security incidents that require analyzing malware persistence with autoruns - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Sysinternals Autoruns (GUI) and Autorunsc (CLI) - Administrative privileges on target system - Python 3.9+ for automated analysis - VirusTotal API key for reputation checks - Clean baseline export for comparison ## Workflow ### Step 1: Automated Persistence Scanning ```python #!/usr/bin/env python3 """Automate Autoruns-based persistence analysis.""" import subprocess import csv import json import sys def scan_and_analyze(autorunsc_path="autorunsc64.exe", csv_path="scan.csv"): cmd = [autorunsc_path, "-a", "*", "-c", "-h", "-s", "-nobanner", "*"] result = subprocess.run(cmd, capture_output=True, text=True, timeout=600) with open(csv_path, 'w') as f: f.write(result.stdout) return parse_and_flag(csv_path) def parse_and_flag(csv_path): suspicious = [] with open(csv_path, 'r', errors='replace') as f: for row in csv.DictReader(f): reasons = [] signer = row.get("Signer", "") if not signer or signer == "(Not verified)": reasons.append("Unsigned binary") if not row.get("Description") and not row.get("Company"): reasons.append("Missing metadata") path = row.get("Image Path", "").lower() for sp in ["\temp\\", "\appdata\local\temp", "\users\public\\"]: if sp in path: reasons.append(f"Suspicious path") launch = row.get("Launch String", "").lower() for kw in ["powershell", "cmd /c", "wscript", "mshta", "regsvr32"]: if kw in launch: reasons.append(f"LOLBin: {kw}") if reasons: row["reasons"] = reasons suspicious.append(row) return suspicious if __name__ == "__main__": if len(sys.argv) > 1: results = parse_and_flag(sys.argv[1]) print(f"[!] {len(results)} suspicious entries") for r in results: print(f" {r.get('Entry','')} - {r.get('Image Path','')}") for reason in r.get('reasons', []): print(f" - {reason}") ``` ## Validation Criteria - All ASEP categories scanned and cataloged - Unsigned entries flagged for investigation - Suspicious paths and LOLBin launch strings highlighted - Baseline comparison identifies new persistence mechanisms ## References - [Sysinternals Autoruns](https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns) - [SANS - Offline Autoruns Revisited](https://www.sans.org/blog/offline-autoruns-revisited-auditing-malware-persistence/) - [Hunting Malware with Autoruns](https://nasbench.medium.com/hunting-malware-with-windows-sysinternals-autoruns-19cbfe4103c2) - [MITRE ATT&CK T1547 - Boot or Logon Autostart](https://attack.mitre.org/techniques/T1547/)