creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 22:24:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/analyzing-malware-persistence-with-autoruns/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

61 lines
1.8 KiB
Markdown
Raw Blame History

# API Reference: Autoruns Persistence Analysis
## Autoruns CLI (autorunsc.exe)
```cmd
autorunsc.exe -a * -c -h -s -v -vt -o autoruns.csv
```
| Flag | Description |
|------|-------------|
| `-a *` | All autostart categories |
| `-c` | CSV output |
| `-h` | Show file hashes |
| `-s` | Verify digital signatures |
| `-v` | Verify signatures against catalog |
| `-vt` | Check VirusTotal |
| `-o` | Output file |
## CSV Columns
| Column | Description |
|--------|-------------|
| Time | Entry timestamp |
| Entry Location | Registry key or path |
| Entry | Entry name |
| Enabled | enabled/disabled |
| Category | Autoruns category |
| Description | File description |
| Company | Publisher name |
| Image Path | Full binary path |
| Launch String | Complete command line |
| MD5 / SHA-1 / SHA-256 | File hashes |
| Signer | Code signing status |
| VT detection | VirusTotal ratio (e.g., "5/72") |
## Autostart Categories
| Category | Examples |
|----------|---------|
| Logon | Run/RunOnce keys, Startup folder |
| Services | Windows services |
| Drivers | Kernel drivers |
| Scheduled Tasks | Task Scheduler entries |
| Winlogon | Shell, Userinit, Notify |
| WMI | Event subscriptions |
| AppInit | AppInit_DLLs |
| Boot Execute | BootExecute values |
| Image Hijacks | IFEO debugger entries |
| LSA Providers | Authentication packages |
## Suspicious Indicators
| Indicator | Significance |
|-----------|-------------|
| VT detection > 0 | Known malware |
| Unsigned binary | Potential unsigned malware |
| LOLBin in launch string | Living-off-the-land |
| Path in %TEMP% or %PUBLIC% | Staging location |
| Missing company info | Suspicious unsigned entry |
## MITRE ATT&CK Persistence
- T1547.001 - Registry Run Keys / Startup Folder
- T1053.005 - Scheduled Task
- T1543.003 - Windows Service
- T1546.003 - WMI Event Subscription
Reference in New Issue View Git Blame Copy Permalink