creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-25 19:24:36 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/analyzing-malware-persistence-with-autoruns/SKILL.md
T
mukul975 efca3ec611 feat: add NIST CSF 2.0 nist_csf field to all 754 cybersecurity skills 
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions)
based on subdomain and content analysis. Restores 11 skills corrupted during
prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields.

All 754 skills now carry structured mappings for all 5 security frameworks:
- MITRE ATT&CK (in tags)
- MITRE ATLAS v5.5 (atlas_techniques)
- MITRE D3FEND v1.3 (d3fend_techniques)
- NIST AI RMF 1.0 (nist_ai_rmf)
- NIST CSF 2.0 (nist_csf)
2026-04-06 11:17:40 +02:00

4.4 KiB
Raw Blame History

name, description, domain, subdomain, tags, mitre_attack, version, author, license, d3fend_techniques, nist_csf
name description domain subdomain tags mitre_attack version author license d3fend_techniques nist_csf
analyzing-malware-persistence-with-autoruns Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry keys, scheduled tasks, services, drivers, and startup locations on Windows systems. cybersecurity malware-analysis
autoruns
persistence
malware-analysis
sysinternals
windows
registry
startup
incident-response
T1547
T1053
T1543
T1546
1.0 mahipal Apache-2.0
Executable Denylisting
Execution Isolation
File Metadata Consistency Validation
Content Format Conversion
File Content Analysis
DE.AE-02
RS.AN-03
ID.RA-01
DE.CM-01

Analyzing Malware Persistence with Autoruns

Overview

Sysinternals Autoruns extracts data from hundreds of Auto-Start Extensibility Points (ASEPs) on Windows, scanning 18+ categories including Run/RunOnce keys, services, scheduled tasks, drivers, Winlogon entries, LSA providers, print monitors, WMI subscriptions, and AppInit DLLs. Digital signature verification filters Microsoft-signed entries. The compare function identifies newly added persistence via baseline diffing. VirusTotal integration checks hash reputation. Offline analysis via -z flag enables forensic disk image examination.

When to Use

  • When investigating security incidents that require analyzing malware persistence with autoruns
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

  • Sysinternals Autoruns (GUI) and Autorunsc (CLI)
  • Administrative privileges on target system
  • Python 3.9+ for automated analysis
  • VirusTotal API key for reputation checks
  • Clean baseline export for comparison

Workflow

Step 1: Automated Persistence Scanning

#!/usr/bin/env python3
"""Automate Autoruns-based persistence analysis."""
import subprocess
import csv
import json
import sys


def scan_and_analyze(autorunsc_path="autorunsc64.exe", csv_path="scan.csv"):
    cmd = [autorunsc_path, "-a", "*", "-c", "-h", "-s", "-nobanner", "*"]
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=600)
    with open(csv_path, 'w') as f:
        f.write(result.stdout)
    return parse_and_flag(csv_path)


def parse_and_flag(csv_path):
    suspicious = []
    with open(csv_path, 'r', errors='replace') as f:
        for row in csv.DictReader(f):
            reasons = []
            signer = row.get("Signer", "")
            if not signer or signer == "(Not verified)":
                reasons.append("Unsigned binary")
            if not row.get("Description") and not row.get("Company"):
                reasons.append("Missing metadata")
            path = row.get("Image Path", "").lower()
            for sp in ["\temp\\", "\appdata\local\temp", "\users\public\\"]:
                if sp in path:
                    reasons.append(f"Suspicious path")
            launch = row.get("Launch String", "").lower()
            for kw in ["powershell", "cmd /c", "wscript", "mshta", "regsvr32"]:
                if kw in launch:
                    reasons.append(f"LOLBin: {kw}")
            if reasons:
                row["reasons"] = reasons
                suspicious.append(row)
    return suspicious


if __name__ == "__main__":
    if len(sys.argv) > 1:
        results = parse_and_flag(sys.argv[1])
        print(f"[!] {len(results)} suspicious entries")
        for r in results:
            print(f"  {r.get('Entry','')} - {r.get('Image Path','')}")
            for reason in r.get('reasons', []):
                print(f"    - {reason}")

Validation Criteria

  • All ASEP categories scanned and cataloged
  • Unsigned entries flagged for investigation
  • Suspicious paths and LOLBin launch strings highlighted
  • Baseline comparison identifies new persistence mechanisms

References

Reference in New Issue View Git Blame Copy Permalink