Autoruns v14.06 – Malware Autostart locations for Incident Responders

0

Overview

Microsoft Autoruns v14.06 is a Microsoft Sysinternals tool written by Mark Russinovich, an excellent application that enables you to find the malware auto-starting locations on boot finds programs that are configured to run during system bootup or login. Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more.


It can be operated on both a command-line interface and GUI. Most significant is this tool to check third-party auto-starting images that are configured for the accounts on a system. Integration of the popular Virustotal in the tool provides more insights into the suspicious files that are hiding in the system. Much more to do with autostart utilities, Let’s get started.

Installation steps

  1. Download Autoruns for Windows v14.06 from https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
  2. Extract the .zip file.
  3. Run the .exe file for your system as administrator in command prompt.
  • For a 32-bit system, choose Autoruns.
  • For a 64-bit system, choose Autoruns64.

Also Read: FireEye’s Open-Source Tool – CAPA to Identify Malware Capabilities

Working with Autoruns

The above figure shows, Autoruns64.exe is started in command prompt, and immediately a graphical window pops up and shows the list of images that are enabled to startup on boot.

The above figure shows a list of information about the autostart image path, publisher names, descriptions, and more. Some of the publishers are shown in red line means that is not verified. Verified publishers are shown in white lines. Yellow lines state file is not found. To cut off the noise of most trusted publishers we will apply the below filters to find the unknown publisher’s image paths.

Also Read: Dynamic Malware Analysis – Procmon to Extract Indicators of Compromise

The above figure illustrates, Hiding the empty locations, Microsoft entries, and windows entries will temporarily exclude Microsoft publisher executables. To complete the actions go to scan options and enable verify code signatures, check virutotal.com, and submit unknown images.

The above list of figures shows, applied filter excludes the Microsoft executables and shows only the files that belong only to other companies which are verified or not verified. Both case malware can achieve its persistence mechanism.

Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes

As we enabled the options such as check virustotal and submit unknown images, these should find us the malicious file that is hiding and executed behind each boot time. Here we see below findings from virustotal

The above figure shows what we see as the Virustotal results for some executables with malware detection ratio. To check the persistence registry locations. Right-click on the image and select Jump to entry, this will take you to the registry.

Also Read: Windows Service Creation and Malware Detection Methods

The above figure shows file Utorrent is configured to autostart and the registry location is Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run , Now you can clean this malware!

Working with autorunsc

Autorunsc is does the same job in command-line interface

Usage: autorunsc [-a <*|bdeghiklmoprsw>] [-c|-ct] [-h] [-m] [-s] [-u] [-vt] [[-z ] | [user]]]

ParameterDescription
-aAutostart entry selection:
*All.
bBoot execute.
dAppinit DLLs.
eExplorer addons.
gSidebar gadgets (Vista and higher)
hImage hijacks.
iInternet Explorer addons.
kKnown DLLs.
lLogon startups (this is the default).
mWMI entries.
nWinsock protocol and network providers.
oCodecs.
pPrinter monitor DLLs.
rLSA security providers.
sAutostart services and non-disabled drivers.
tScheduled tasks.
wWinlogon entries.
-cPrint output as CSV.
-ctPrint output as tab-delimited values.
-hShow file hashes.
-mHide Microsoft entries (signed entries if used with -v).
-sVerify digital signatures.
-tShow timestamps in normalized UTC (YYYYMMDD-hhmmss).
-uIf VirusTotal check is enabled, show files that are unknown by VirusTotal or have non-zero detection, otherwise show only unsigned files.
-xPrint output as XML.
-v[rs]Query VirusTotal for malware based on file hash. Add ‘r’ to open reports for files with non-zero detection. Files reported as not previously scanned will be uploaded to VirusTotal if the ‘s’ option is specified. Note scan results may not be available for five or more minutes.
-vtBefore using VirusTotal features, you must accept the VirusTotal terms of service. If you haven’t accepted the terms and you omit this option, you will be interactively prompted.
-zSpecifies the offline Windows system to scan.
userSpecifies the name of the user account for which autorun items will be shown. Specify ‘*’ to scan all user profiles.
Microsoft

The above figure shows, hunting for all autorun files and checking the hashes in virustotal, and finally, we can export it in CSV for better visibility.

Conclusion

The tool Autoruns has been used across by various cybersecurity professionals, especially for incident response and security operations. The simple tools are more familiar for their robust usage and performance. Happy Hunting!


Previous articleSigcheck v2.82 – Quick Malware Auditing for Incident Responders
Next articleProxyshell Vulnerability – Large Exploitation of Microsoft Exchange Servers
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here