Autoruns is a popular program for Windows to analyze all the different files, programs, and other items that run on system startup.
It is probably the most used tool for that purpose, and includes lots of nice to have features such as scanning files on Virustotal, hiding Microsoft entries, or management of autorun files to disable or delete items directly from within the program.
Evading Autoruns is a research paper by Kyle Hanslovan and Chris Bisnett from Huntress that reveals multiple evasion methods that malicious users could make use of to hide activities on the computer or in a network.
The researchers reveal multiple methods that attackers may use to hide their activity. Nested commands for instance may be used to execute multiple programs using a single startup item. These commands, e.g. &&, & or || combine one or multiple commands, usually by adding a malicious command after a legitimate command.
One of the issues that arises in Autoruns is that many users have configured the program to hide Microsoft entries as they are considered save by many. The problem is that hiding Microsoft entries may hide these command constructs.
Other techniques that the security researchers describe are:
The researchers come to the conclusion that Autoruns is a great tool for enumerating startup programs and files, but that it is not a security tool.
They suggest that administrators and users use it to enumerate data, and that they analyze the data the tool gathered using other means. Attackers will use these techniques and more complex ones to evade detection in Autoruns.
As far as things are concerned that you may do to make it more difficult for attackers to hide something, the following is helpful:
If you like our content, and would like to help, please consider making a contribution: