1. Uncovering Persistence With
Autoruns & Security Onion
#SOCAugusta
@DefensiveDepth

2. Autoruns
live.sysinternals.com
Boot execute. / Appinit DLLs. / Explorer addons.
Sidebar gadgets (Vista and higher)
Image hijacks.
Internet Explorer addons. / Known DLLs.
Logon startups. / WMI entries.
Winsock protocol and network providers.

3. Hijacks
Image hijacks at the time of log generation
ELSA Query: groupby:path - Closely review any entries

4. Goals
Implementation
Real-World Use

5. “Pertinax”
Latin: “Persistent, Stubborn”
Reference Architecture

6. 1) Generate
1) Tab-delimited CSV option
autorunsc -ct
2) Verify Signatures
autorunsc -s
3) Logfile is named with the hostname or IP
Address of the source system
“DD-HR” is the name of the log for the system DD-
HR

7. 2) Collect
for /f %%a in (host-list.txt) do (
psexec -accepteula %%a -c
autorunsc.exe -accepteula -a * -s -m -t -
h -ct * > Logs%%a.csv
)

8. 3) Normalize -Removal of autoruns’ header rows
-Addition of unique identifier to each message
-Addition of src hostname to each message
-Addition of runtime to each message
-Conversion to ASCII
-Replacement of TAB delimiter with a Pipe

9. 4) Import & Parse
<localfile> <location>C:Logsar-
normalized.log</location>
<log_format>syslog</log_format>
</localfile>
ELSA Pattern & OSSEC Decoder
-Hostname, DD-HR
-Category, Logon
-Entry, Skype
-Profile, DD-HRadmin
-Company, Skype Technologies
-Path, C:program files.....Skype.exe
- Signer / Version / Launch String / Hashes

10. 5) View

11. Real-World Use
(Daily)

12. Diff
200 entries x 50 hosts =
10,000 entries/day to review
Vs.
Few Hundred

13. Clients Servers

14. ELSA Queries
github.com/defensivedepth/Pertinax/wiki/Persistence-Categories
Stacking

15. Drivers
All non-disabled drivers at the time of log generation
ELSA Queries:
groupby:path -system32 -syswow64
groupby:company (Look for unsigned drivers)

16. Logon
Common Startup areas: Run & RunOnce keys, Start Menu
ELSA Queries:
groupby:path, +users - Stack
groupby:company - Stack

17. Internet Explorer
IE Addons at the time of log generation
ELSA Queries:
groupby:path - Stack

18. Explorer
Shell extensions, addons, etc
ELSA Queries:
groupby:path - Stack

19. Tasks
All registered tasks on the system
ELSA Queries:
groupby:path - Stack

20. Services
All Autostart services on the system
ELSA Queries:
groupby:path - Show all results outside of the System32
Folder - Stack
groupby:company - Stack

21. Codecs
Other Autoruns’ Categories
Network
Providers
Winlogon
LSA Providers
KnownDLL
Print Monitors
Boot Execute
WMI
Office Addins

22. Wrap-Up
Future Possiblities:
-Virus Total Integration
-OSSEC Rulesets

23. Questions?
@DefensiveDepth
github.com/defensivedepth/Pertinax