analyzing-malware-persistence-with-autoruns

# Analyzing Malware Persistence with Autoruns ## Overview Sysinternals Autoruns extracts data from hundreds of Auto-Start Extensibility Points (ASEPs) on Windows, scanning 18+ categories including Run/RunOnce keys, services, scheduled tasks, drivers, Winlogon entries, LSA providers, print monitors, WMI subscriptions, and AppInit DLLs. Digital signature verification filters Microsoft-signed entries. The compare function identifies newly added persistence via baseline diffing. VirusTotal integration checks hash reputation. Offline analysis via -z flag enables forensic disk image examination. ## When to Use - When investigating security incidents that require analyzing malware persistence with autoruns - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Sysinternals Autoruns (GUI) and Autorunsc (CLI) - Administrative privileges on target system - Python 3.9+ for automated analysis - VirusTotal API key for reputation checks - Clean baseline export for comparison ## Workflow ### Step 1: Automated Persistence Scanning ```python #!/usr/bin/env python3 """Automate Autoruns-based persistence analysis.""" import subprocess import csv import json import sys def scan_and_analyze(autorunsc_path="autorunsc64.exe", csv_path="scan.csv"): cmd = [autorunsc_path, "-a", "*", "-c", "-h", "-s", "-...