Skip to content
Switch branches/tags
Go to file
Cannot retrieve contributors at this time

#Autoruns Analysis

Purpose: Find malware persistence by examining common mechanisms across a network

Data Required: List of programs configured to start at boot/logon time on each endpoint

Collection Considerations: MS Sysinternals' autorunsc.exe is the most common way to collect this from a host

Analysis Techniques: Stack counting, string matching, outlier detection


Gather autoruns data from endpoints across the network and look for:

  • Executable starting out of c:programdata, recycle bin, appdata area, %temp%
  • Unsigned executables
  • Shortest / longest filenames
  • GUID filenames
  • Rare executable filenames or directories

More Info