Path Interception by PATH Environment Variable, Path Interception by Search Order Hijacking, Path Interception by Unquoted Path, Services File Permissions Weakness, Services Registry Permissions WeaknessĬhange Default File Association, Windows Management Instrumentation Event Subscription, Accessibility Features, AppInit DLLsĬopyright © 2022, The MITRE Corporation. Registry Run Keys / Startup Folder, Port Monitors, Winlogon Helper DLL Building another analytic on top of this one identifying unusual entries would likely be a beneficial alternative. Primarily not a detection analytic by itself but through analysis of results by an analyst can be used for such. Utilizes the Sysinternals autoruns tool (ignoring validated Microsoft entries).
This analytic could be replaced with one that draws from sensors that collect registry and file information if streaming analytics are desired. While Autoruns is a convenient method to scan for programs using persistence mechanisms its scanning nature does not conform well to streaming based analytics. Thus, this analytic may result in significant noise in a highly dynamic environment. Depending on the persistence mechanism and location, legitimate software may be more likely to make changes than an adversary tool. Running Autoruns periodically in an environment makes it possible to collect and monitor its output for differences, which may include the removal or addition of persistent tools. Many of these locations are known by adversaries and used to obtain Persistence. It will output any tools identified, including built-in or added-on Microsoft functionality and third party software. The Sysinternals tool Autoruns checks the registry and file system for known identify persistence mechanisms.
Sysinternals Autoruns v11.Analytic Type: Situational Awareness, TTP user Specifies the name of the user account for which autorun items will be shown. z Specifies the offline Windows system to scan.
s Autostart services and non-disabled drivers. n Winsock protocol and network providers. m Hide Microsoft entries (signed entries if used with -v). g Sidebar gadgets (Vista and higher) -h Image hijacks. Autorunsc shows programs configured to autostart during boot.Īutorunsc Usage Usage: autorunsc |
0 kommentar(er)
