analyzing-malware-persistence-with-autoruns

star 599

Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry keys, scheduled tasks, services, drivers, and startup locations on Windows systems.

xalgord By xalgord schedule Updated 6/6/2026
play_arrow Run Skill in Manus View GitHub

name: analyzing-malware-persistence-with-autoruns description: Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry keys, scheduled tasks, services, drivers, and startup locations on Windows systems. domain: cybersecurity subdomain: malware-analysis tags:

  • autoruns
  • persistence
  • malware-analysis
  • sysinternals
  • windows
  • registry
  • startup
  • incident-response mitre_attack:
  • T1547
  • T1053
  • T1543
  • T1546 version: '1.0' author: mahipal license: Apache-2.0 d3fend_techniques:
  • Executable Denylisting
  • Execution Isolation
  • File Metadata Consistency Validation
  • Content Format Conversion
  • File Content Analysis nist_csf:
  • DE.AE-02
  • RS.AN-03
  • ID.RA-01
  • DE.CM-01

Analyzing Malware Persistence with Autoruns

Overview

Sysinternals Autoruns extracts data from hundreds of Auto-Start Extensibility Points (ASEPs) on Windows, scanning 18+ categories including Run/RunOnce keys, services, scheduled tasks, drivers, Winlogon entries, LSA providers, print monitors, WMI subscriptions, and AppInit DLLs. Digital signature verification filters Microsoft-signed entries. The compare function identifies newly added persistence via baseline diffing. VirusTotal integration checks hash reputation. Offline analysis via -z flag enables forensic disk image examination.

When to Use

  • When investigating security incidents that require analyzing malware persistence with autoruns
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Detection Gaps & Validation

  • Autoruns doesn't cover every ASEP. COM hijacking, certain WMI event-consumer subscriptions, and fully fileless/in-memory persistence may not surface. Corroborate with Sysmon (Event IDs 12-13, 19-21), wmic/Get-WmiObject for __EventConsumer, and Volatility for memory-only implants.
  • Live runs can be lied to. A rootkit on the running host can hide its own autostart entry; prefer offline analysis with autorunsc -z against a mounted disk image, then diff against a clean baseline.
  • Signed != trusted. Malware abuses signed LOLBins (regsvr32, mshta, rundll32) and can sit behind a valid Microsoft signature; "Hide Microsoft entries" can mask a binary masquerading from System32. Verify the signature is valid (not just present) and that the path/name match the real product.
  • Confirm a hit: check the hash on VirusTotal, validate the digital-signature state, confirm the launch string/path against a known-good baseline, and corroborate the entry from a second source (Sysmon, raw registry hive, scheduled-task XML) rather than Autoruns alone.
  • False positives: legitimate line-of-business apps, OEM utilities, and dev tools are often unsigned, run from odd paths, or use script launchers. Require corroborating indicators before flagging an unsigned entry.

Prerequisites

  • Sysinternals Autoruns (GUI) and Autorunsc (CLI)
  • Administrative privileges on target system
  • Python 3.9+ for automated analysis
  • VirusTotal API key for reputation checks
  • Clean baseline export for comparison

Workflow

Step 1: Automated Persistence Scanning

#!/usr/bin/env python3
"""Automate Autoruns-based persistence analysis."""
import subprocess
import csv
import json
import sys


def scan_and_analyze(autorunsc_path="autorunsc64.exe", csv_path="scan.csv"):
    cmd = [autorunsc_path, "-a", "*", "-c", "-h", "-s", "-nobanner", "*"]
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=600)
    with open(csv_path, 'w') as f:
        f.write(result.stdout)
    return parse_and_flag(csv_path)


def parse_and_flag(csv_path):
    suspicious = []
    with open(csv_path, 'r', errors='replace') as f:
        for row in csv.DictReader(f):
            reasons = []
            signer = row.get("Signer", "")
            if not signer or signer == "(Not verified)":
                reasons.append("Unsigned binary")
            if not row.get("Description") and not row.get("Company"):
                reasons.append("Missing metadata")
            path = row.get("Image Path", "").lower()
            for sp in ["\temp\\", "\appdata\local\temp", "\users\public\\"]:
                if sp in path:
                    reasons.append(f"Suspicious path")
            launch = row.get("Launch String", "").lower()
            for kw in ["powershell", "cmd /c", "wscript", "mshta", "regsvr32"]:
                if kw in launch:
                    reasons.append(f"LOLBin: {kw}")
            if reasons:
                row["reasons"] = reasons
                suspicious.append(row)
    return suspicious


if __name__ == "__main__":
    if len(sys.argv) > 1:
        results = parse_and_flag(sys.argv[1])
        print(f"[!] {len(results)} suspicious entries")
        for r in results:
            print(f"  {r.get('Entry','')} - {r.get('Image Path','')}")
            for reason in r.get('reasons', []):
                print(f"    - {reason}")

Validation Criteria

  • All ASEP categories scanned and cataloged
  • Unsigned entries flagged for investigation
  • Suspicious paths and LOLBin launch strings highlighted
  • Baseline comparison identifies new persistence mechanisms

References

Install via CLI
npx skills add https://github.com/xalgord/xalgorix --skill analyzing-malware-persistence-with-autoruns
Repository Details
star Stars 599
call_split Forks 104
navigation Branch main
article Path SKILL.md
More from Creator
xalgord
xalgord Explore all skills →