Evading Autoruns, or: don't rely solely on Autoruns for security

Martin Brinkmann
Nov 5, 2017
Windows
|
15

Autoruns is a popular program for Windows to analyze all the different files, programs, and other items that run on system startup.

It is probably the most used tool for that purpose, and includes lots of nice to have features such as scanning files on Virustotal, hiding Microsoft entries, or management of autorun files to disable or delete items directly from within the program.

Evading Autoruns is a research paper by Kyle Hanslovan and Chris Bisnett from Huntress that reveals multiple evasion methods that malicious users could make use of to hide activities on the computer or in a network.

autoruns hide security

The researchers reveal multiple methods that attackers may use to hide their activity. Nested commands for instance may be used to execute multiple programs using a single startup item. These commands, e.g. &&, & or || combine one or multiple commands, usually by adding a malicious command after a legitimate command.

One of the issues that arises in Autoruns is that many users have configured the program to hide Microsoft entries as they are considered save by many. The problem is that hiding Microsoft entries may hide these command constructs.

Other techniques that the security researchers describe are:

  • Shell32.dll Indirection
  • DLL Hijacking
  • SyncAppvPublishingService
  • Service DLL Bug
  • Extension Search Order Bug
  • SIP Hijacking
  • .INF Scriptlets

The researchers come to the conclusion that Autoruns is a great tool for enumerating startup programs and files, but that it is not a security tool.

They suggest that administrators and users use it to enumerate data, and that they analyze the data the tool gathered using other means. Attackers will use these techniques and more complex ones to evade detection in Autoruns.

As far as things are concerned that you may do to make it more difficult for attackers to hide something, the following is helpful:

  1. Don't hide Microsoft and Windows entries in Autoruns. You find the option under Options > Hide Microsoft Entries and Options > Hide Windows entries. This displays more data, but it is important to see it from a security point of view.
  2. Enable the "verify code signatures" and "check virustotal.com" options in Options > Scan Options.
  3. Review any cmd.exe, pcalua, or SyncAppvPublishingService entries.
  4. Go through all entries and look for nested commands (may be easier to use the command line options to enumerate all and use find operations to go through the listing).

Now You: how do you enumerate autorun items and vet them? (via Deskmodder, Technet)

Summary
Evading Autoruns, or: don't rely solely on Autoruns for security
Article Name
Evading Autoruns, or: don't rely solely on Autoruns for security
Description
A look at the security research paper Evading Autoruns which describes methods to obfuscate autostart items in the popular Windows software.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. K@ said on November 7, 2017 at 12:23 pm
    Reply

    I’ve got into the habit of still running HijackThis, SvchostAnalyzer and adwcleaner, from time to time. I also use O&O regedit, to go through the registry, to see if I can find anything weird. That can be rather laborious, of course, and it’s not for the faint-hearted or those who don’t know their way around the registry.

    So much easier, in the days of the Amiga and it’s environment archive…

  2. Wayfarer said on November 7, 2017 at 4:52 am
    Reply

    All academic. I’ve used Autoruns for years, but since the Fall Creators Update, it crashes or hangs within seconds.

  3. db said on November 7, 2017 at 3:44 am
    Reply

    It is a security tool. Its just a flawed one. There are many malware apps that don’t use these techniques. I’ve torn out a few myself using this tool. However it is always good to know the weaknesses of your tools and have others to compensate.

  4. K@ said on November 6, 2017 at 10:20 pm
    Reply

    I seem to recall that Autoruns wasn’t entirely accurate, if you have an x64 version of Windoze. Dunno if that’s true. Any idea, Martin?

    I tend to use various programs from dear old NirSoft, to look for this sort of thing, now. To be honest, I lost trust in SysInternals stuff, since they sold-out to M$.

  5. Goldendays said on November 6, 2017 at 2:59 pm
    Reply

    Yes, interesting that one still doesn’t know how to use auto-page translation and complains about German. Work with some Russian sites; Spanish, Italian, French, Finish, Polish, Romanian, etc.

    Back to Autoruns–I used Alternative To yesterday to see what other programs were available. I ran several such as EmisoftHijackFree, or some such program that is no longer maintained but can be found at Major Geeks.

    http://www.majorgeeks.com/files/details/emsisoft_hijackfree.html

    The only program that seemed to be of value according to users is WinPatrol.

    https://www.winpatrol.com/mydownloads/

    I sure liked ThreatFire by PC Tools.

    1. Clairvaux said on November 6, 2017 at 8:15 pm
      Reply

      Well, how does one use auto-page translation ? This is a straightforward question, not a rhetorical one.

      1. Tom Hawack said on November 6, 2017 at 8:23 pm
        Reply

        If I remember correctly the auto-translate is a Chrome browser feature; maybe a Firefox add-on does it as well but Firefox doesn’t have this feature natively.

        Taking the opportunity to correct my above comment, slightly chaotic as I had cut/pasted too quickly.

        I should have wrote,
        “[…]My comment was a side-note, with all the required precautions to be explicit. Read, buddy, and stop complaining of what doesn’t exist.”

    2. Tom Hawack said on November 6, 2017 at 3:40 pm
      Reply

      Who’s complaining? Of course it’s obvious to get text or page translations but seldom of good quality.
      Sometimes I don’t understand that some people don’t seem to read, listen correctly, even when they don’t refer to the WinPatrol, that wof-wof doggy is it?! LOL. My comment was a side-note, with all the required precautions to be explicit even when they refer to the WinPatrol, that wof-wof doggy is it?! LOL. Read, buddy, and stop complaining of what doesn’t exist.

  6. Jack E. Alexander said on November 5, 2017 at 10:18 pm
    Reply

    For years I have relied on a small program from Mike Lin. It’s called StartupMonitor. It can be found at: http://www.chip.de/downloads/StartupMonitor_32331240.html. I’m using this site to avoid sending anyone to CNET.

    With it installed I get a window that pops up during installations asking if I want this process to autostart or not. This way one can avoid a lot of hidden startup processes.

    1. Understatement of the day: Win 10 is buggy! said on November 6, 2017 at 1:48 pm
      Reply

      Last update 2008 and support only till Win XP

      Even Michael Lin call it obsolete.

      http://www.mlin.net/

      1. Anonymous said on November 8, 2017 at 7:18 am
        Reply

        _Support_ only to Win XP, but it works fine on my Win 7.

    2. Tom Hawack said on November 6, 2017 at 10:51 am
      Reply

      A pity for those who aren’t fluent in Goethe’s and Schiller’s language that the site is only in German. Side-note : I notice quite often that German domains seem very faithful to their native language, perhaps more than elsewhere, which I can understand and even admire in a certain way when English is becoming omnipotent, even if it requires a page translation which isn’t always as faithful :)

      Concerning this ‘StartupMonitor’ application, it may be valuable but it won’t provide more information than Autoruns, especially it won’t be an answer to the problematic exposed in this article.

    3. HK-Rapper said on November 6, 2017 at 10:11 am
      Reply

      The site you linked to is actually worse, given who owns it and how they try to sneak users a downloader instead of the actual file if a person doesn’t use ublock.

      1. Thorky said on November 6, 2017 at 10:32 am
        Reply

        Please choose “Manuelle Installation”. This leads directly to the download of the program-setup-file.

  7. Tom Hawack said on November 5, 2017 at 8:29 pm
    Reply

    “They [the researchers] suggest that administrators and users use it to enumerate data, and that they analyze the data the tool gathered using other means. Attackers will use these techniques and more complex ones to evade detection in Autoruns.”

    That’s how I use Autoruns, when I do use it which is occasional.
    Microsoft and Windows entries are not hidden in my Autoruns.
    I enabled the “verify code signatures” option in Options > Scan Options but not the “check virustotal.com” which appears to rely on a problematic connection here (must be a blocker somewhere amid my great walls :)

    Thanks for this valuable article, Martin. Should have I been inclined to assimilate Autorun results to security evidence that I certainly wouldn’t anymore, as there appears to be more to a dancing floor than the dancers on the track.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.