Anthropic-Cybersecurity-Skills analyzing-malware-persistence-with-autoruns
Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry
install
source · Clone the upstream repo
git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/mukul975/Anthropic-Cybersecurity-Skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/analyzing-malware-persistence-with-autoruns" ~/.claude/skills/mukul975-anthropic-cybersecurity-skills-analyzing-malware-persistence-with-autor && rm -rf "$T"
manifest:
skills/analyzing-malware-persistence-with-autoruns/SKILL.mdsource content
Analyzing Malware Persistence with Autoruns
Overview
Sysinternals Autoruns extracts data from hundreds of Auto-Start Extensibility Points (ASEPs) on Windows, scanning 18+ categories including Run/RunOnce keys, services, scheduled tasks, drivers, Winlogon entries, LSA providers, print monitors, WMI subscriptions, and AppInit DLLs. Digital signature verification filters Microsoft-signed entries. The compare function identifies newly added persistence via baseline diffing. VirusTotal integration checks hash reputation. Offline analysis via -z flag enables forensic disk image examination.
When to Use
- When investigating security incidents that require analyzing malware persistence with autoruns
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
Prerequisites
- Sysinternals Autoruns (GUI) and Autorunsc (CLI)
- Administrative privileges on target system
- Python 3.9+ for automated analysis
- VirusTotal API key for reputation checks
- Clean baseline export for comparison
Workflow
Step 1: Automated Persistence Scanning
#!/usr/bin/env python3 """Automate Autoruns-based persistence analysis.""" import subprocess import csv import json import sys def scan_and_analyze(autorunsc_path="autorunsc64.exe", csv_path="scan.csv"): cmd = [autorunsc_path, "-a", "*", "-c", "-h", "-s", "-nobanner", "*"] result = subprocess.run(cmd, capture_output=True, text=True, timeout=600) with open(csv_path, 'w') as f: f.write(result.stdout) return parse_and_flag(csv_path) def parse_and_flag(csv_path): suspicious = [] with open(csv_path, 'r', errors='replace') as f: for row in csv.DictReader(f): reasons = [] signer = row.get("Signer", "") if not signer or signer == "(Not verified)": reasons.append("Unsigned binary") if not row.get("Description") and not row.get("Company"): reasons.append("Missing metadata") path = row.get("Image Path", "").lower() for sp in ["\temp\\", "\appdata\local\temp", "\users\public\\"]: if sp in path: reasons.append(f"Suspicious path") launch = row.get("Launch String", "").lower() for kw in ["powershell", "cmd /c", "wscript", "mshta", "regsvr32"]: if kw in launch: reasons.append(f"LOLBin: {kw}") if reasons: row["reasons"] = reasons suspicious.append(row) return suspicious if __name__ == "__main__": if len(sys.argv) > 1: results = parse_and_flag(sys.argv[1]) print(f"[!] {len(results)} suspicious entries") for r in results: print(f" {r.get('Entry','')} - {r.get('Image Path','')}") for reason in r.get('reasons', []): print(f" - {reason}")
Validation Criteria
- All ASEP categories scanned and cataloged
- Unsigned entries flagged for investigation
- Suspicious paths and LOLBin launch strings highlighted
- Baseline comparison identifies new persistence mechanisms