The Sysinternals tool Autoruns checks the registry and file system for known identify persistence mechanisms. It will output any tools identified, including built-in or added-on Microsoft functionality and third party software. Many of these locations are known by adversaries and used to obtain Persistence. Running Autoruns periodically in an environment makes it possible to collect and monitor its output for differences, which may include the removal or addition of persistent tools. Depending on the persistence mechanism and location, legitimate software may be more likely to make changes than an adversary tool. Thus, this analytic may result in significant noise in a highly dynamic environment. While Autoruns is a convenient method to scan for programs using persistence mechanisms its scanning nature does not conform well to streaming based analytics. This analytic could be replaced with one that draws from sensors that collect registry and file information if streaming analytics are desired.
|Technique||Tactic||Level of Coverage|
|Modify Existing Service||Persistence||Moderate|
|Registry Run Keys / Startup Folder||Persistence||Moderate|
|Path Interception||Persistence, Privilege Escalation||Moderate|
|Accessibility Features||Privilege Escalation, Persistence||Moderate|
|Modify Registry||Persistence, Execution||Moderate|
|Service Registry Permissions Weakness||Persistence, Execution||Moderate|
|Windows Management Instrumentation Event Subscription||Persistence||Moderate|
|File System Permissions Weakness||Privilege Escalation, Persistence||Moderate|
|Change Default File Association||Persistence||Moderate|
|Winlogon Helper DLL||Persistence||Moderate|
Utilizes the Sysinternals autoruns tool (ignoring validated Microsoft entries). Primarily not a detection analytic by itself but through analysis of results by an analyst can be used for such. Building another analytic on top of this one identifying unusual entries would likely be a beneficial alternative.