mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-16 20:55:17 +03:00
efca3ec611
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions) based on subdomain and content analysis. Restores 11 skills corrupted during prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields. All 754 skills now carry structured mappings for all 5 security frameworks: - MITRE ATT&CK (in tags) - MITRE ATLAS v5.5 (atlas_techniques) - MITRE D3FEND v1.3 (d3fend_techniques) - NIST AI RMF 1.0 (nist_ai_rmf) - NIST CSF 2.0 (nist_csf)
126 lines
4.4 KiB
Markdown
126 lines
4.4 KiB
Markdown
---
|
|
name: analyzing-malware-persistence-with-autoruns
|
|
description: Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry
|
|
keys, scheduled tasks, services, drivers, and startup locations on Windows systems.
|
|
domain: cybersecurity
|
|
subdomain: malware-analysis
|
|
tags:
|
|
- autoruns
|
|
- persistence
|
|
- malware-analysis
|
|
- sysinternals
|
|
- windows
|
|
- registry
|
|
- startup
|
|
- incident-response
|
|
mitre_attack:
|
|
- T1547
|
|
- T1053
|
|
- T1543
|
|
- T1546
|
|
version: '1.0'
|
|
author: mahipal
|
|
license: Apache-2.0
|
|
d3fend_techniques:
|
|
- Executable Denylisting
|
|
- Execution Isolation
|
|
- File Metadata Consistency Validation
|
|
- Content Format Conversion
|
|
- File Content Analysis
|
|
nist_csf:
|
|
- DE.AE-02
|
|
- RS.AN-03
|
|
- ID.RA-01
|
|
- DE.CM-01
|
|
---
|
|
# Analyzing Malware Persistence with Autoruns
|
|
|
|
## Overview
|
|
|
|
Sysinternals Autoruns extracts data from hundreds of Auto-Start Extensibility Points (ASEPs) on Windows, scanning 18+ categories including Run/RunOnce keys, services, scheduled tasks, drivers, Winlogon entries, LSA providers, print monitors, WMI subscriptions, and AppInit DLLs. Digital signature verification filters Microsoft-signed entries. The compare function identifies newly added persistence via baseline diffing. VirusTotal integration checks hash reputation. Offline analysis via -z flag enables forensic disk image examination.
|
|
|
|
|
|
## When to Use
|
|
|
|
- When investigating security incidents that require analyzing malware persistence with autoruns
|
|
- When building detection rules or threat hunting queries for this domain
|
|
- When SOC analysts need structured procedures for this analysis type
|
|
- When validating security monitoring coverage for related attack techniques
|
|
|
|
## Prerequisites
|
|
|
|
- Sysinternals Autoruns (GUI) and Autorunsc (CLI)
|
|
- Administrative privileges on target system
|
|
- Python 3.9+ for automated analysis
|
|
- VirusTotal API key for reputation checks
|
|
- Clean baseline export for comparison
|
|
|
|
## Workflow
|
|
|
|
### Step 1: Automated Persistence Scanning
|
|
|
|
```python
|
|
#!/usr/bin/env python3
|
|
"""Automate Autoruns-based persistence analysis."""
|
|
import subprocess
|
|
import csv
|
|
import json
|
|
import sys
|
|
|
|
|
|
def scan_and_analyze(autorunsc_path="autorunsc64.exe", csv_path="scan.csv"):
|
|
cmd = [autorunsc_path, "-a", "*", "-c", "-h", "-s", "-nobanner", "*"]
|
|
result = subprocess.run(cmd, capture_output=True, text=True, timeout=600)
|
|
with open(csv_path, 'w') as f:
|
|
f.write(result.stdout)
|
|
return parse_and_flag(csv_path)
|
|
|
|
|
|
def parse_and_flag(csv_path):
|
|
suspicious = []
|
|
with open(csv_path, 'r', errors='replace') as f:
|
|
for row in csv.DictReader(f):
|
|
reasons = []
|
|
signer = row.get("Signer", "")
|
|
if not signer or signer == "(Not verified)":
|
|
reasons.append("Unsigned binary")
|
|
if not row.get("Description") and not row.get("Company"):
|
|
reasons.append("Missing metadata")
|
|
path = row.get("Image Path", "").lower()
|
|
for sp in ["\temp\\", "\appdata\local\temp", "\users\public\\"]:
|
|
if sp in path:
|
|
reasons.append(f"Suspicious path")
|
|
launch = row.get("Launch String", "").lower()
|
|
for kw in ["powershell", "cmd /c", "wscript", "mshta", "regsvr32"]:
|
|
if kw in launch:
|
|
reasons.append(f"LOLBin: {kw}")
|
|
if reasons:
|
|
row["reasons"] = reasons
|
|
suspicious.append(row)
|
|
return suspicious
|
|
|
|
|
|
if __name__ == "__main__":
|
|
if len(sys.argv) > 1:
|
|
results = parse_and_flag(sys.argv[1])
|
|
print(f"[!] {len(results)} suspicious entries")
|
|
for r in results:
|
|
print(f" {r.get('Entry','')} - {r.get('Image Path','')}")
|
|
for reason in r.get('reasons', []):
|
|
print(f" - {reason}")
|
|
```
|
|
|
|
## Validation Criteria
|
|
|
|
- All ASEP categories scanned and cataloged
|
|
- Unsigned entries flagged for investigation
|
|
- Suspicious paths and LOLBin launch strings highlighted
|
|
- Baseline comparison identifies new persistence mechanisms
|
|
|
|
## References
|
|
|
|
- [Sysinternals Autoruns](https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns)
|
|
- [SANS - Offline Autoruns Revisited](https://www.sans.org/blog/offline-autoruns-revisited-auditing-malware-persistence/)
|
|
- [Hunting Malware with Autoruns](https://nasbench.medium.com/hunting-malware-with-windows-sysinternals-autoruns-19cbfe4103c2)
|
|
- [MITRE ATT&CK T1547 - Boot or Logon Autostart](https://attack.mitre.org/techniques/T1547/)
|