Evading Autoruns

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Very interesting document (a research paper by Kyle Hanslovan and Chris Bisnett ) about how to use properly Sysinternals Autoruns program. There are many possible techniques which can hide malicious entries when using default Autoruns settings. The first simple example (among many others) is to replace the autorun entry:
C:\Windows\system32\VBoxTry.exe
with modified one:
cmd.exe /c start C:\Windows\system32\VBoxTry.exe & malware.exe
This command runs malware.exe after executing the autorun VBoxTry.exe .
You will see in the Autoruns window the entry C:\Windows\system32\VBoxTry.exe only when 'Hide Windows Entries' option is unticked. But even then, the whole command is not visible. It can be seen below the main window, when clicking on the C:\Windows\system32\VBoxTry.exe entry.
Good reading for malware testers.
.
See also:
Evading Autoruns, or: don’t rely solely on Autoruns for security
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I have downloaded the newest version of Autoruns (v.13.80 from September 2017) and there are some changes related probably to the above research.
For example, if we will make the below registry modification :
.
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background -->
cmd.exe /c C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background & malware.exe
.
In the older version, the Autoruns report will show:
OneDrive|Microsoft OneDrive|Microsoft Corporation|c:\users\#\appdata\local\microsoft\onedrive\onedrive.exe|
But, in the newest version, the report will show:
OneDrive | Windows Command Processor | Microsoft Corporation | c:\windows\system32\cmd.exe |
.
So the report in the newest version is closer to the truth, but still, the malware.exe is not visible, until we click on the OneDrive entry.
Anyway, for the malware tester, the best solution is saving the Autoruns report before the malware test and comparing with the report after the test. It should be remembered that 'Hide Windows Entries' should be unticked. Next, for any changed entry, we have to click on it in Autoruns window to see the full command.
Unfortunately, on my computer (Windows 10 Fall Creators Update), the comparing feature does not work, but it is possible to save both reports as TXT files and comparing them using any text comparing utility.:)
.
Edit
Comparing the reports will not work in older Autoruns versions.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top