Persistence Categories

Autoruns Persistence Categories

The following are the various categories of persistence locations that the current version of Autoruns lists. Each category is explained ¹,² as are suggestions on what to look for. Data stacking is a key part of the process - if you are unfamiliar with it, Mandiant has a good introduction to it³.

Drivers - Shows all non-disabled drivers at the time of log generation
-ELSA Query: groupby:path - Show all results outside of the system32 & syswow64 Folders
-ELSA Query: Look for unsigned drivers

Explorer - Shell extensions, addons, etc
-ELSA Query: groupby:path - Stack

Services - Shows all Autostart services on the system at the time of log generation
-ELSA Query: groupby:path - Show all results outside of the System32 Folder - Stack
-ELSA Query: groupby:company - Stack
Malware Example: Hupigon family backdoor

Codecs- Shows all codecs loaded at the time of log generation
-ELSA Query: groupby:path - Stack

Tasks - Shows all registered tasks on the system at the time of log generation
-ELSA Query: groupby:path - Stack

Winlogon - Winlogon entries
-ELSA Query: groupby:path - Stack

KnownDLLs - Cached DLLs⁴
-ELSA Query: Confirm that everything listed is a verified Windows component.
-ELSA Query: Confirm that everything listed is found in the system directory⁵

Network Providers - Winsock protocol and network providers
-ELSA Query: groupby:path - Stack

Logon - Common Startup areas including Run & RunOnce keys, Start Menu, etc.
-ELSA Query: groupby:path, +users - Stack
-ELSA Query: groupby:company - Stack

LSA Providers - LSA security providers
-ELSA Query: groupby:path - Stack

Print Monitors - Printer monitor DLLs
-ELSA Query: Path: Show all results outside of the System32 Folder - Stack
-ELSA Query: Company: Out of ordinary companies?

Boot Execute - Startup during system boot
-ELSA Query: groupby:path - Closely review any non-Microsoft entries

Internet Explorer - Shows all IE Addons at the time of log generation
-ELSA Query: groupby:path - Stack

Office Addins - Shows all office addins at the time of log generation
-ELSA Query: groupby:path - Stack

Hijacks - Shows all image hijacks at the time of log generation
-ELSA Query: groupby:path - Closely review any entries
Malware Example: Adware hijacking Tasklist.exe

WMI - WMI Entries at the time of log generation
-ELSA Query: groupby:path - Stack

References:

• 1: Official Technet documentation
• 2: HowToGeek "Using Autoruns to Deal with Startup Processes and Malware"
• 3: Indepth Data Stacking
• 4: The Known DLLs Balancing Act
• 5: DLL Hijacking Like A Boss!