Introduction
Everyone knows about common autostart locations like Run, RunOnce, scheduled tasks, and services. But did you know there are more than 50 locations in Windows where autostart persistence can be achieved? Today, we’re going to dive into this topic. I won’t cover all the locations here to keep this article concise, but I’ll show you how to collect and analyze these locations using screenshots and commands.
Autostart Extensible Points (ASEPs)
Autostart Extensible Points (ASEPs) are locations in the Windows registry where configurations can be set to autostart programs either at boot or logon. Profiling these persistence mechanisms is crucial for identifying potential malware or unauthorized software.
Using RECmd to Detect Persistence
RECmd, a command-line tool by Eric Zimmerman, can be used to automate the detection of persistence mechanisms using batch files. The RegistryASEPs.reb batch file is specifically designed for this purpose.
Method 1: Running RECmd on Collected Hives
Collect All Hives:
Gather all relevant registry hives (e.g., NTUSER.DAT, USERASSIST, SYSTEM, SAM) into one folder.
Run RECmd:
Use the following command to run RECmd on the collected hives:
recmd.exe --bn BatchExamples\RegistryASEPs.reb -d C:\Path\To\Hives --csv C:\Users\akash\Desktop --csvf recmd.csv
Or easy method:
Method 2: Using KAPE
Run KAPE:
Use KAPE to directly target and parse registry hives for ASEPs.
Command:
kape.exe --tsource C: --tdest C:\Users\Akash\Desktop\tout --target RegistryHives --mdest C:\Users\akash\Desktop\mout --module RECmd_RegistryASEPs
In tout will be original artifact and in mout parsed artifact.
Output:
I will use timeline explorer to Analysis the parsed output:
Example for Analysis
After running the commands, you can use Timeline Explorer to search for temporary files. This will help you find all the files that ran through the temp folder, providing insights into potential persistence mechanisms.
Conclusion
Understanding and detecting ASEPs is crucial for maintaining the security of your Windows systems. By using tools like RECmd and KAPE, you can automate the detection process and gain valuable insights into potential persistence mechanisms.
Akash Patel
Comments