Uncovering Persistence With Autoruns & Security Onion

#SOCAugusta@DefensiveDepth

Autorunslive.sysinternals.com

Boot execute. / Appinit DLLs. / Explorer addons.

Sidebar gadgets (Vista and higher)

Image hijacks.

Internet Explorer addons. / Known DLLs.

Logon startups. / WMI entries.

Winsock protocol and network providers.

HijacksImage hijacks at the time of log

generationELSA Query: groupby:path - Closely review any entries

GoalsImplementation

Real-World Use

“Pertinax”Latin: “Persistent, Stubborn”

Reference Architecture

1) Generate

1) Tab-delimited CSV option

autorunsc -ct

2) Verify Signatures

autorunsc -s

3) Logfile is named with the hostname or IP

Address of the source system

“DD-HR” is the name of the log for the system DD-

HR

2) Collectfor /f %%a in (host-list.txt) do ( psexec -accepteula \\%%a -c autorunsc.exe -accepteula -a * -s -m -t -h -ct * > Logs\%%a.csv)

3) Normalize -Removal of autoruns’ header rows

-Addition of unique identifier to each message

-Addition of src hostname to each message

-Addition of runtime to each message

-Conversion to ASCII

-Replacement of TAB delimiter with a Pipe

4) Import & Parse

<localfile> <location>C:\Logs\ar-normalized.log</location> <log_format>syslog</log_format></localfile>

ELSA Pattern & OSSEC Decoder

-Hostname, DD-HR

-Category, Logon

-Entry, Skype

-Profile, DD-HR\admin

-Company, Skype Technologies

-Path, C:\program files\.....\Skype.exe

- Signer / Version / Launch String / Hashes

5) View

Real-World Use(Daily)

Diff

200 entries x 50 hosts = 10,000 entries/day to review

Vs.

Few Hundred

Clients Servers

ELSA Queriesgithub.com/defensivedepth/Pertinax/wiki/Persistence-

Categories Stacking

DriversAll non-disabled drivers at the time of log

generation

ELSA Queries:

groupby:path -system32 -syswow64

groupby:company (Look for unsigned drivers)

LogonCommon Startup areas: Run & RunOnce

keys, Start Menu

ELSA Queries:

groupby:path, +users - Stack

groupby:company - Stack

Internet Explorer

IE Addons at the time of log generation

ELSA Queries:

groupby:path - Stack

ExplorerShell extensions, addons, etc

ELSA Queries:

groupby:path - Stack

TasksAll registered tasks on the system

ELSA Queries:

groupby:path - Stack

ServicesAll Autostart services on the system

ELSA Queries:

groupby:path - Show all results outside of the System32 Folder - Stack

groupby:company - Stack

Codecs

Other Autoruns’ CategoriesNetwork

Providers

Winlogon

LSA Providers

KnownDLL

Print MonitorsBoot

Execute WMI

Office Addins

Wrap-Up

Future Possiblities: -Virus Total Integration-OSSEC Rulesets

Questions?@DefensiveDepth

github.com/defensivedepth/Pertinax