Evading Autoruns

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,970
Very interesting document (a research paper by Kyle Hanslovan and Chris Bisnett ) about how to use properly Sysinternals Autoruns program. There are many possible techniques which can hide malicious entries when using default Autoruns settings. The first simple example (among many others) is to replace the autorun entry:
C:\Windows\system32\VBoxTry.exe
with modified one:
cmd.exe /c start C:\Windows\system32\VBoxTry.exe & malware.exe
This command runs malware.exe after executing the autorun VBoxTry.exe .
You will see in the Autoruns window the entry C:\Windows\system32\VBoxTry.exe only when 'Hide Windows Entries' option is unticked. But even then, the whole command is not visible. It can be seen below the main window, when clicking on the C:\Windows\system32\VBoxTry.exe entry.
Good reading for malware testers.
.
See also:
Evading Autoruns, or: don’t rely solely on Autoruns for security
 
Last edited:
  • Like
Reactions: Parsh, roger_m, XhenEd and 12 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,970
I have downloaded the newest version of Autoruns (v.13.80 from September 2017) and there are some changes related probably to the above research.
For example, if we will make the below registry modification :
.
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background -->
cmd.exe /c C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background & malware.exe
.
In the older version, the Autoruns report will show:
OneDrive|Microsoft OneDrive|Microsoft Corporation|c:\users\#\appdata\local\microsoft\onedrive\onedrive.exe|
But, in the newest version, the report will show:
OneDrive | Windows Command Processor | Microsoft Corporation | c:\windows\system32\cmd.exe |
.
So the report in the newest version is closer to the truth, but still, the malware.exe is not visible, until we click on the OneDrive entry.
Anyway, for the malware tester, the best solution is saving the Autoruns report before the malware test and comparing with the report after the test. It should be remembered that 'Hide Windows Entries' should be unticked. Next, for any changed entry, we have to click on it in Autoruns window to see the full command.
Unfortunately, on my computer (Windows 10 Fall Creators Update), the comparing feature does not work, but it is possible to save both reports as TXT files and comparing them using any text comparing utility.:)
.
Edit
Comparing the reports will not work in older Autoruns versions.
 
Last edited:
  • Like
Reactions: Av Gurus, Parsh, Daniel Hidalgo and 4 others
You must log in or register to reply here.

Similar threads

Dreams&Visions
    • Like
    • Hundred Points
App Review Evorim Free Firewall
Replies
3
Views
1,584
Written Reviews - Security and Privacy
oldschool
oldschool
Victor M
    • Hundred Points
    • Thanks
Serious Discussion Why Choose Ubuntu Linux over Windows 11 Pro Today?
Replies
7
Views
1,272
General Security Discussions
Victor M
Victor M
Lymphocyte
    • Like
    • +Reputation
Security News ESET repports that OilRig’s persistent attacks using cloud service-powered downloaders
Replies
0
Views
2,749
Security News
Lymphocyte
Lymphocyte

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top