The document discusses using Autoruns and Security Onion to uncover persistence on systems. It describes how Autoruns can detect various types of persistence mechanisms including boot execute items, DLLs, Explorer addons, image hijacks, and more. It then outlines how Security Onion can be used to generate Autoruns logs from multiple systems, normalize the data, import it, and perform queries to detect anomalous or malicious items that may indicate persistence. Real-world use cases are discussed where this approach reduces the number of items to manually review from thousands to a few hundred.

1. Uncovering Persistence With
Autoruns & Security Onion
#SOCAugusta
@DefensiveDepth

2. Autoruns
live.sysinternals.com
Boot execute. / Appinit DLLs. / Explorer addons.
Sidebar gadgets (Vista and higher)
Image hijacks.
Internet Explorer addons. / Known DLLs.
Logon startups. / WMI entries.
Winsock protocol and network providers.

3. Hijacks
Image hijacks at the time of log generation
ELSA Query: groupby:path - Closely review any entries

4. Goals
Implementation
Real-World Use

5. “Pertinax”
Latin: “Persistent, Stubborn”
Reference Architecture

6. 1) Generate
1) Tab-delimited CSV option
autorunsc -ct
2) Verify Signatures
autorunsc -s
3) Logfile is named with the hostname or IP
Address of the source system
“DD-HR” is the name of the log for the system DD-
HR

7. 2) Collect
for /f %%a in (host-list.txt) do (
psexec -accepteula %%a -c
autorunsc.exe -accepteula -a * -s -m -t -
h -ct * > Logs%%a.csv
)

8. 3) Normalize -Removal of autoruns’ header rows
-Addition of unique identifier to each message
-Addition of src hostname to each message
-Addition of runtime to each message
-Conversion to ASCII
-Replacement of TAB delimiter with a Pipe

9. 4) Import & Parse
<localfile> <location>C:Logsar-
normalized.log</location>
<log_format>syslog</log_format>
</localfile>
ELSA Pattern & OSSEC Decoder
-Hostname, DD-HR
-Category, Logon
-Entry, Skype
-Profile, DD-HRadmin
-Company, Skype Technologies
-Path, C:program files.....Skype.exe
- Signer / Version / Launch String / Hashes

10. 5) View

11. Real-World Use
(Daily)

12. Diff
200 entries x 50 hosts =
10,000 entries/day to review
Vs.
Few Hundred

13. Clients Servers

14. ELSA Queries
github.com/defensivedepth/Pertinax/wiki/Persistence-Categories
Stacking

15. Drivers
All non-disabled drivers at the time of log generation
ELSA Queries:
groupby:path -system32 -syswow64
groupby:company (Look for unsigned drivers)

16. Logon
Common Startup areas: Run & RunOnce keys, Start Menu
ELSA Queries:
groupby:path, +users - Stack
groupby:company - Stack

17. Internet Explorer
IE Addons at the time of log generation
ELSA Queries:
groupby:path - Stack

18. Explorer
Shell extensions, addons, etc
ELSA Queries:
groupby:path - Stack

19. Tasks
All registered tasks on the system
ELSA Queries:
groupby:path - Stack

20. Services
All Autostart services on the system
ELSA Queries:
groupby:path - Show all results outside of the System32
Folder - Stack
groupby:company - Stack

21. Codecs
Other Autoruns’ Categories
Network
Providers
Winlogon
LSA Providers
KnownDLL
Print Monitors
Boot Execute
WMI
Office Addins

22. Wrap-Up
Future Possiblities:
-Virus Total Integration
-OSSEC Rulesets

23. Questions?
@DefensiveDepth
github.com/defensivedepth/Pertinax