Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Windows Autorun-3 - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Windows Autorun-3

In previous diaries I talked about some of the most common startup locations in windows environment.

In this diary I will talk about some of the method to enumerate these values from registry

1-Autoruns

Sysinternals Autoruns is the best tool available to enumerate the startup locations; it can locate almost every startup location in Windows. If you are a big fan of command line or you need something scriptable, Autorunsc is the command line version of Autoruns . Autoruns can detect the startup locations for the current user and any other user using the same system.

In addition one of the most powerful features of Autoruns is the ability of analyzing offline systems ,this will be very useful if you have a binary image of a compromised system.

Here is how to use it with an offline system:

1-Mount the image

2-File->Analyze Offline System..


 

2-Provide System Root and User Profile Path

 

 

3-Click OK


 

2-Registry Editors/Viewers

In forensics world we cannot depend on one tool only, in many cases we have to double check the result of one tool using different tool.

In addition to the windows built-in tools (RegEdit, reg command and PowerShell Get-ChildItem/Get-ItemProperty) there are some great tools to analysis registry such as AccessData FTK Registry Viewer, Harlan Carvy RegRipper and TZWorks Yet Another Registry Utility (yaru).

One big advantage of yaru is the ability to recover deleted registry keys which is very useful when someone is trying to hide his track.



3-WMIC

Windows Management Instrument Command-line has its own way to retrieve the startup location.

Wmic startup list full


 

Basil

52 Posts
ISC Handler
Took a while as googling for LZWorks was misleading. It's not "LZWorks yaru", it's "TZWorks yaru".

Yet Another Registry Utility
https://tzworks.net/prototype_page.php?proto_id=3
Anonymous
Posts
Not a huge fan of using 'wmic startup list full'.
... since they do NOT show RunOnce and RunOnceEx (which malware might hide).
It is trivial for malware to RunOnce, and re-add the execution command to the RunOnce key after Windows removes the entry.

Good for a quick look to start... but I find that I always manually search the registry (if I do not already have 'autoruns' available of course).
Anonymous
Posts

Sign Up for Free or Log In to start participating in the conversation!