top of page

Uncovering Autostart Locations in Windows

Introduction

Everyone knows about common autostart locations like RunRunOnce, scheduled tasks, and services. But did you know there are more than 50 locations in Windows where autostart persistence can be achieved? Today, we’re going to dive into this topic. I won’t cover all the locations here to keep this article concise, but I’ll show you how to collect and analyze these locations using screenshots and commands.


Autostart Extensible Points (ASEPs)

Autostart Extensible Points (ASEPs) are locations in the Windows registry where configurations can be set to autostart programs either at boot or logon. Profiling these persistence mechanisms is crucial for identifying potential malware or unauthorized software.


Using RECmd to Detect Persistence

RECmd, a command-line tool by Eric Zimmerman, can be used to automate the detection of persistence mechanisms using batch files. The RegistryASEPs.reb batch file is specifically designed for this purpose.


Method 1: Running RECmd on Collected Hives

  1. Collect All Hives:

    • Gather all relevant registry hives (e.g., NTUSER.DATUSERASSISTSYSTEMSAM) into one folder.

  2. Run RECmd:

  3. Use the following command to run RECmd on the collected hives:

recmd.exe --bn BatchExamples\RegistryASEPs.reb -d C:\Path\To\Hives --csv C:\Users\akash\Desktop --csvf recmd.csv

Or easy method:

Method 2: Using KAPE

  1. Run KAPE:

  2. Use KAPE to directly target and parse registry hives for ASEPs.

  3. Command:

kape.exe --tsource C: --tdest C:\Users\Akash\Desktop\tout --target RegistryHives --mdest C:\Users\akash\Desktop\mout --module RECmd_RegistryASEPs

In tout will be original artifact and in mout parsed artifact.


Output:

I will use timeline explorer to Analysis the parsed output:

Example for Analysis

After running the commands, you can use Timeline Explorer to search for temporary files. This will help you find all the files that ran through the temp folder, providing insights into potential persistence mechanisms.


Conclusion

Understanding and detecting ASEPs is crucial for maintaining the security of your Windows systems. By using tools like RECmd and KAPE, you can automate the detection process and gain valuable insights into potential persistence mechanisms.

Akash Patel

104 views0 comments

Comments


bottom of page