The system administrator typically, responsible to manage and secure sensitive data of the large organization’s in a sustainable manner. Overall it is his cardinal approach to ensure the server system to be functioning in a secure, relentless, reliable, and stable way, wholly resistible from extraneous cyber-attack. Therefore, this article is especially dedicated to the system administrator in order to ease their day to day monitoring activities by mean of several freely available system-related utilities. This article literally, expounds the benefits of leveraging essential system commands on account of retrieve and monitoring sensitive information during auditing breakthrough and data forensic practices.
In that so, the Sys-internals toolkit that is a part of MS TechNet society offers a wide range of free diagnostic tools and utilities to streamline the system administrator crackdown in a bid of identifying shrouded abnormal process and malware hunting.
Autorun denotes to a service that runs inevitably without deliberately began by the end-user. The Autorun starts filling its display on behalf of information gathered from AEPS (explained in next section below) as shown in figure below; Each row indicates the name of entries, publisher, description, and image path (which shows the location store of the target file identified by autostart) details. Moreover, each row has a checkbox to enable (entries could only be altered in case of having only administrative privilege) or disable entry along with the VirusTotal scanning status. Autorun also identified the InProcServer services and highlighted it with a yellow border with the message of “File not found” in case of not retrieving the target file at the stipulated location. The TimeStamp tab also assists to obtain useful information about classifying the file category, as if the TimeStamp displays the time in the local zone then that’s the file comes identifying as a portable executive (PE). Finally, if some image file that has not a valid publisher, signature verification, etc, is perceived to be suspiciously marked as pink entries automatically by autorun.
Before deep-diving into the Sysinternals Autoruns utility, it is advisable to elucidating the term ASEP (Autostart Extensibility Point) which are the location in the file system and registry that enable autostarts to configured on Windows both x64 and x32 bit version. In fact, Windows in itself implemented through ASEP in the form of services, drivers, etc. So, the Sysinternals Autoruns utility captured the system information by scanning a plethora of ASEP entries within seconds and making it easier to detect the suspiciously running process, additionally, it could also identify and enable/disable the autostarts.
Autostart Malware –
The legitimate process of killing a malware is to first identify the malicious driver or process and then terminate them. Now the question is how to identify the suspicious process, then there are some underlying points are being enumerated which help to point out a malicious process. We have look for the process which has no icon, unsigned certificated, strange URL, no description of the company, etc. Hence in this regard, the Autorun typically invoke the essential system services by mean of Autostart services, and drivers too during a computer booting phase. But hackers often wield it in a different manner by surreptitiously run a camouflage unsolicited service without the permission and cognizance of the user. Furthermore, it makes an entry of itself into the boot startup database routinely.
For more information refers to the startup tab being shown in above figure, which can be view by the StartUp tab of
msconfig.exe utility in the Windows operating system to monitor what process is currently being started intentionally or inadvertently. Hackers typically infected the umpteen of a target’s machine by deploying their malicious software, sometimes referred to as a botnet, that is shipped with software bundled in the disk drive freely offered by computer magazine and rogue organization. The movement a user inserts the CD-ROM in the disk drive, the windows autostart service initiates the malicious software automatically by exploiting the Autorun feature of Windows operating software that enables to run software located in Pen or disk drive automatically.
Moreover, sometimes organizations lured the innocent targets by providing them free Pen drive to run their mischievous software. So, it is highly recommended to disable the autorun feature by default in order to subvert surreptitious attacks more often attacks executed by mean of Pen and disk drives.
Note : System administrators often use the Autorun to capture a baseline of ASEP on a computer that can be associated with comparing with the later captured results for troubleshooting purposes.
Autoruns internal –
Hackers can easily implant malware into the target computer or manipulate the existing services by hooking into it. In this connection, the system administrator often relied on the publisher’s certificate or status to identify the nature of any running services in pursuit of malware. But hackers can overcome this hurdle too by easily camouflaged their evil service under a renowned publisher such as “Microsoft Corporation” etc..
So, the digital signature is the only rescuer leftovers to be fully assured with file integrity and authenticity as it gives a higher degree of assurance about a file. We can, therefore, verify the authenticity of an entry through Verify Image option from the Entry menu by selecting a particular entry that eventually yields the results as follows in below figure; If the file is verified from a trusted code signed authority that derived from CA, the Publisher tab text shows results accordingly as follows –
Moreover, entries can also be deleted by unchecking the checkbox, however, deleted entries could not recover later due to not having undo option. The services will not automatically start during booting after disabling an autostart entry. But, it does not delete the ASEP of the corresponding target file. It is, however, highly recommended that the deletion of an entry should be done with caution as you can put the computer into an unstable state in which recovery is not possible.
Autoruns Components –
There is a long list of components of Autoruns including Boot, Services, Explorer, WinLogon, Drivers, etc. will be displayed in various tabs the movement it initialized. Hence, this section elaborates important components only from total 19 tabs due to the triviality of remaining.
First of all the Logon tab, that shows the details when windows startup and a user login as well as display the ASEP used by the application. It also includes various Run and RunOnce keys, startup directories, and shutdown scripts.
Secondly, the system services that are typically configured in the subkey of
HKLM/System/CurrentControlSet\Services, the Autoruns enlist all the enabled services of a system either they are related to a process and others. It delineates the path, publishers, and other important information as being displayed in the image below.
Another interesting feature is KnowDLLs that improves system performance by confining all the process to utilize the same version of DLL as it contains only verified windows DLLs. It will also associate with malware detection when the hacker deleted any underlining DLL and try to deploy its own version. We can easily identify the vicious file by comparing the save Autoruns results to a known-good instance of the same operating system.
The system drivers being loaded during system boot as shown in the below figure typically runs in kernel mode, which enables them to interact with various hardware, storage, etc. So, the autoruns displays only the drivers that are marked as enabled with the description, path, and other important connotation. The Autoruns are also assisted to disable and delete drivers which taken into effect after rebooting of the system.
Sometimes, buggy executable code referred to as codec of a media player, often slower the performance of a system. So, the Autoruns enumerates all executable code that can be loaded by media playback application and one can identify the misconfigured codec cause performance.
Next, the Boot Execute tab displays the executables that are started and utilized by the session manager. Boot Execute tabs include hard drive verification and repair typically performed by windows.
Note #1: The Autoruns results (data) can be saved to disk in both formats: Binary format and tab-delimited text format in a read-only form.
Note #2: You can download the system internals utilities entire sets from its website in packed form, or you can spare yourself from the hassle of downloading and unzipping the tools by directly browses their file share through accessing
\\live.sysinternals.com\portal from the Windows Run box.
The entire Sysinternals software suite can be freely downloaded from its Live portal (
https://live.sysinternals.com/files/) as follows;
Malware Cleaning and Troubleshooting
The autostart embedded with the inbuilt VirusTotal API utility that scans over an uploaded file with 50 prominent antiviruses. This feature could be activated from Check Virus Total option where it uploaded the hashes to virus total server and the autorun specifies the number of engines to be scanned the file.
Consequently, the Autoruns typically displayed the unhidden large number of ASEP entries as windows itself extensively relied on ASEP’s. These entries are out of interest in any form so can hide by choosing Hide Windows Entries option and it displays shaded rows for every AEPS that scan as follows;
Apart from that, it offers another useful option for malware detection through currently logged in users, as it added a User item in the menu automatically after being run with administrative rights. When a standard user installed a malicious program inadvertently, then the system settings can’t be changed to clean it up. Therefore, the autorun with admin privileges allows selecting the potentially compromised account to inspect its ASEP and possibly clean up the malware.
Finally, as far as the troubleshooting concern, it offers a special Offline Analysis utility to remove misconfigure ASEP. To do so, the Autorun must be run with full right with access to offline windows instance. It will also conducive to identify that hidden entry of malware that’s the autorun sometime unable to reveal as some malware are strong enough in hiding their ASEP to scanning. So, taking the system offline from an instance of windows, the malicious entries will no more be concealed.
The goal of this article is to detect malware in the system by leveraging the benefits of Autoruns utility as the malware as a typical nature remains dormant on an infected system. The Autoruns utility offers a wide range of tools related to drivers, logon, DLL, network, services, codec, etc. in order to find misconfiguration and yield the current status of the system. However, it also assists in cleaning up malware and restores the system to its last known good configuration to some extent. Finally, we came to an understanding of the roles of ASEP entries which directly correlated to registry hives being displayed in the Autoruns.