Hunting Malware with Windows Sysinternals — Autoruns

This is part 2 of “Hunting Malware with Windows Sysinternals”, if you haven’t read part 1, please give it read here.

The Registry and Autostart Extensibility Points

The Windows registry is the OS database. It contains information about the OS configuration, services, drivers, boot configuration, user configuration the shell used and a lot more.

Autoruns

Windows Sysinternals — Autoruns

Code Signature Verification

As discussed in the previous part with process explorer and its image verification feature, Autoruns offers the same feature to verify if the executable is signed with valid certificate.

Virus Total Integration

Autoruns integrates by default with VT. That means it can send hashes / executables for scanning to identify entries pointing to malicious images on disk. Just make sure you’re not sending anything sensitive if you choose the send “Unknown Images” option.

Hiding Microsoft and VT clean entries

This is more of a UI feature than anything else. It’ll help us in our analysis and search for malicious entries, as choosing to hide Microsoft entries is a safe bet and can clean up the interface from a lot of entries.

User Specific Entries

The windows registry contains entries specific to users, and by default Autoruns, only search the HKCU key of the user who run the tool. Don’t forget to check the other users run keys by switching the user via the “User” menu.

Search in Process Explorer

Last but not least, there is an option that can let us check if the executable being pointed by the registry key is running or not.

Conclusion

Combining all of these feature and a sens of analysis can go a long way in finding malicious entries with autoruns.

I write about #ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.