Hunting Malware with Windows Sysinternals — Autoruns
This is part 2 of “Hunting Malware with Windows Sysinternals”, if you haven’t read part 1, please give it read here.
Hunting Malware with Windows Sysinternals — Process Explorer
How to leverage process explorer capabilities to hunt and analyze malware
Welcome back. In this second blog post of this three-part series about hunting malware with the Windows Sysinternals tools, we’ll be taking a look at “Autoruns”. A tool that let us visualize the auto starting locations of a system which malware can use to persist.
Without further ado let’s get started with a bit of terminology and concepts.
The Registry and Autostart Extensibility Points
The Windows registry is the OS database. It contains information about the OS configuration, services, drivers, boot configuration, user configuration the shell used and a lot more.
Its divided into keys and values, where each key contains one or multiples values that contains configuration information about something that the system or a a software need.
Some keys available in the registry have special meaning to the OS. When configured, the OS will read and execute the corresponding configuration automatically. For example, if the “Run” or “Run Once” keys are configured, they will cause any program listed in there to get executed when a user logs in.
These types of keys are called “Auto-run” keys.
Similar to the registry auto run keys, there exist other mechanisms to have a program launch when an event occur, The most well known example is the Task Scheduler.
Malware often use the methods described above to create persistence on a machine. The focus of this blog post will be on how to leverage the windows sysinternals “Autoruns” tool to hunt for malware persistence.
The Sysinternals “Auotruns” tool was created for the soul purpose of listing as many auto starting locations as possible. From services and scheduled tasks to run and boot execute keys. When executed, it will scan by default a lot of Autostart locations, in 18 different categories.
Once the scan finishes, we’ll be presented with an interface that’ll show us every auto start location found.
I want to discuss five features that can help identify malicious entries quickly and efficiently .
Code Signature Verification
As discussed in the previous part with process explorer and its image verification feature, Autoruns offers the same feature to verify if the executable is signed with valid certificate.
Enabling this feature will show which executables are signed by adding the “Verified” string in front of them, what’s left are the most suspicious of the bunch.
This feature can be enabled globally from the “Scan Options” in the options menu.
Virus Total Integration
Autoruns integrates by default with VT. That means it can send hashes / executables for scanning to identify entries pointing to malicious images on disk. Just make sure you’re not sending anything sensitive if you choose the send “Unknown Images” option.
This feature can be enabled also from the “Scan Options” in the options menu.
Hiding Microsoft and VT clean entries
This is more of a UI feature than anything else. It’ll help us in our analysis and search for malicious entries, as choosing to hide Microsoft entries is a safe bet and can clean up the interface from a lot of entries.
As for hiding clean VT entries, I would suggest that you select this option with care. Because when dealing with advanced malware and especially targeted malware, VT will most likely show a clean result event If an executable is malicious. So handle with care and always look at the image path. As in most cases is the one that’ll reveal if something is misplaced or not.
User Specific Entries
The windows registry contains entries specific to users, and by default Autoruns, only search the HKCU key of the user who run the tool. Don’t forget to check the other users run keys by switching the user via the “User” menu.
Search in Process Explorer
Last but not least, there is an option that can let us check if the executable being pointed by the registry key is running or not.
If you have process explorer running you can right click on any entry and chose the “Process Explorer…” option. This will open up Process Explorer and if the executable is running, it will directly open the first instance it finds of that process.
This can be helpful in case you didn’t start by looking at the processes or in case you need to verify if the malware is still running on the system.
A feature to keep in mind.
Combining all of these feature and a sens of analysis can go a long way in finding malicious entries with autoruns.
I hope you enjoyed this blog post and learnt something along the way. Join me next me as we finish this series by looking at the most powerful tool of the bunch “Process Monitor”
If you want to know more about malware persistence, i suggest you read this blog post, containing a huge list of malware persistence techniques.
Malware persistence techniques | Andrea Fortuna
Once executed on target system, a malware try to hide itself and achieving persistence on the exploited machine, in…
If you want a deeper understanding of the Sysinternals Tools, i highly suggest you read the book “Troubleshooting with the Windows Sysinternals Tools, 2nd Edition”
Troubleshooting with the Windows Sysinternals Tools, 2nd Edition
Published 10/17/2016 2nd Edition Book 978-0-7356-8444-7 eBook 978-0-13-398653-2 Optimize Windows system reliability and…
Got any feedback or suggestions, send them my way on twitter @nas_bench