6. Autoruns
The Autoruns module makes use of the command line version of SysInternals
Autoruns. It parses the tools output and integrates the output in each log message.
6.1. References
6.2. Issues
The hash generation for the SHA1 hash in Autorunsc.exe is not reliable. The reason for this is unknown. The issue has been reported but hasn't been fixed so far. The value is therefore suppressed.
6.3. Samples
Aug 26 18:48:28 system.internal.net/10.1.2.50
THOR: Warning: MODULE: Autoruns
MESSAGE: New or changed autoruns element
LOCATION: HKLM\System\CurrentControlSet\Services
ENTRY: SymELAM
ENABLED: enabled
CATEGORY: Drivers
PROFILE: System-wide
DESC: Symantec
ELAM PUBLISHER: Symantec Corporation
IMAGE_PATH: c:\windows\system32\drivers\sep\0c011b95\19c8.105\x64\symelam.sys
LAUNCH_STRING: system32\Drivers\SEP\0C011B95\19C8.105\x64\SymELAM.sys
MD5: 20f758e6339a16f97dd83389d582e09a
SHA1: -
SHA256: 837016154b7952b645b5545aeb8e2a8878efa8674e6b96471c3db5e458b06960
SCORE: 60
Aug 26 13:00:55 system.internal.net/10.1.2.50
THOR: Warning: MODULE: Autoruns
MESSAGE: Autoruns element located in a suspicious location
MATCH_STRING: \temp\
LOCATION: HKLM\System\CurrentControlSet\Services
ENTRY: inject3526
ENABLED: enabled
CATEGORY: Services
PROFILE: System-wide
DESC: -
PUBLISHER: -
IMAGE_PATH: c:\users\markschmitt\appdata\local\temp\inject23.exe
LAUNCH_STRING: C:\Users\markschmitt\AppData\Local\Temp\inject23.exe
MD5: 7f9a4835a7a237d2873901bb73d00e7b
SHA1: -
SHA256: d21d4ad73b848488890bf7f846daff7455062801d0d86238d99591219878f36a
SCORE: 75
6.4. Typical False Positives
New entries that are legitimate
Legitimate software that uses strange autorun locations
6.5. Attribute Evaluation
Attribute |
Question |
Answer |
Indication |
Weight |
|---|---|---|---|---|
MESSAGE |
Does it contain "New or changed autoruns element" (Note: This is just a change notice and can be relevant on critical systems or under certain circumstances) |
Yes |
Good |
Low |
IMAGE_PATH |
See chapter File Path Checks |
|||
PUBLISHER |
Is the field empty |
Yes |
Bad |
Low |
DESC |
Is the field empty |
Yes |
Bad |
Low |
MD5/SHA1/SHA256 |
Is the hash field empty (this means: File was not found during the scan) |
Yes |
||
MD5/SHA1/SHA256 |
See chapter Hash Checks for generic checks on hashes |