Skip to content

Latest commit

 

History

History
116 lines (61 loc) · 7.35 KB

TH-0006-Autoruns Analysis.md

File metadata and controls

116 lines (61 loc) · 7.35 KB
Raw

TH-0006-Autoruns Analysis

Creation Date: 2020/06/28

Author: svch0st

Target Platform: Windows

Analytics:

  • Autorunsc.exe - Custom Output

Hypothesis

Adversaries may try to gain persistence by using the autorun or ASEP locations in Windows

Description

The Sysinternals tool Autoruns checks the registry and file system for known identify persistence mechanisms. It will output any tools identified, including built-in or added-on Microsoft functionality and third party software. Many of these locations are known by adversaries and used to obtain Persistence.

ATT&CK Detection

Technique Subtechnique(s) Tactic(s)
Create or Modify System Process Windows Service Persistence, Execution
Scheduled Task/Job At (Windows), Scheduled Task Execution, Persistence, Privilege Escalation
Event Triggered Execution Windows Management Instrumentation Event Subscription, Image File Execution Options Injection, PowerShell Profile Persistence, Privilege Escalation
Boot or Logon Initialization Scripts Logon Script (Windows), Startup Items Persistence, Privilege Escalation
Boot or Logon Autostart Execution Registry Run Keys / Startup Folder Persistence, Privilege Escalation

Analytics

Autorunsc.exe

Data Source: Custom Output

Description: Running the tool and outputting it to a network share will allow you to analyse these important data points

Logic:

Use frequency analysis on the entries to look at abnormalites on your systems
Compare a snapshot of a known good image to filter out the noise of save or expected entries.

Atomic Tests

T1543.003 - Windows Service

  1. Modify Fax service to run PowerShell

  2. Service Installation CMD

  3. Service Installation PowerShell

T1053.002 - At (Windows)

  1. At.exe Scheduled task

T1053.005 - Scheduled Task

  1. Scheduled Task Startup Script

  2. Scheduled task Local

  3. Scheduled task Remote

  4. Powershell Cmdlet Scheduled Task

T1546.003 - Windows Management Instrumentation Event Subscription

  1. Persistence via WMI Event Subscription

T1546.012 - Image File Execution Options Injection

  1. IFEO Add Debugger

  2. IFEO Global Flags

T1546.013 - PowerShell Profile

  1. Append malicious start-process cmdlet

T1037.001 - Logon Script (Windows)

  1. Logon Scripts

T1037.005 - Startup Items

  1. Add file to Local Library StartupItems

T1547.001 - Registry Run Keys / Startup Folder

  1. Reg Key Run

  2. Reg Key RunOnce

  3. PowerShell Registry RunOnce

  4. Suspicious vbs file run from startup Folder

  5. Suspicious jse file run from startup Folder

  6. Suspicious bat file run from startup Folder

Hunter Notes

Hunt Outputs

References