Small Cyber Bytes – 2 – Autorun Locations – Malware Persistence


What Are Autorun Locations
One common way for malware to persist on a system is to add an autorun entry that causes it to start automatically every time the host boots up. While this is not an exhaustive list of autorun locations, this is a good place to start as they are consistent locations for malware persistence. If you are looking towards being a Cyber Security Analyst then these are the basic areas you should definitely know to look at.
Startup Folder
The Startup folder is a location on the computer system where users can place shortcuts to programs they want to run automatically when the system starts up. Malware authors often take advantage of this location by dropping their own malicious code into the folder, allowing it to execute every time the system boots up.
The startup folder is a relatively easy target for malware because it can be modified easily by users with low-level permissions. This makes it an attractive target for malware authors who want to infect as many systems as possible.
- Windows XP:
- All Users: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
- Current User: C:\Documents and Settings\{Username}\Start Menu\Programs\Startup\
- Windows Vista, 7, 8, and 10:
- All Users: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\
- Current User: C:\Users\{Username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Note that in Windows 10, the “ProgramData” and “AppData” folders may be hidden by default, so you may need to show hidden files and folders in order to access them.
Registry
The Windows registry is a database that stores configuration information for the operating system and applications. Malware can modify the registry to create new entries that cause it to run automatically when the system starts up.
The registry is a more secure location than the Startup folder because it requires advanced permissions to modify. However, malware authors can still find ways to modify the registry, such as by exploiting vulnerabilities in software or by tricking users into giving them administrative privileges.
There are several registry keys where malware can add an autorun entry, including:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
These keys contain values that point to the executable files that Windows should run on startup. If you find an entry in one of these keys that you don’t recognize, it’s best to remove it to prevent malware from starting up automatically.


Scheduled Tasks
Scheduled tasks are automated processes that can be set to run at specific times or intervals. Malware authors can use scheduled tasks to set up a recurring process that executes their malicious code at regular intervals.
Scheduled tasks are more difficult to detect than other autorun locations because they are not easily visible to the user. Malware can create scheduled tasks that run in the background, making it harder to identify that the system is infected.


Services
A service is a program that runs in the background and performs specific functions. Malware can install itself as a service, allowing it to execute automatically every time the system starts up.
Services are also difficult to detect because they are not easily visible to the user.
Browser Extensions
Malware can also install itself as a browser extension, allowing it to execute every time the user opens their web browser. This type of malware is becoming increasingly common as more people rely on web-based applications and services.
Browser extensions can be particularly dangerous because they have access to sensitive information, such as browsing history and cookies. Malware can use this information to steal personal data or to carry out other malicious activities.
Review
Malware is a persistent problem in the tech world, and one of the ways it can infect a system is by running automatically upon system startup. This is why malware authors often use autorun locations.
Malware that uses autorun locations can be a persistent threat to computer systems, and can allow malware to operate undetected for extended periods. By understanding the most common autorun locations that malware uses, you can minimize the risk of infection and keep a system running smoothly. Always remember to stay vigilant and keep systems up-to-date with the latest security patches and antivirus software to stay safe.
If you enjoyed this article you may also like PowerShell for Rapid Incident Response – Process Enumeration by Tom
Thank you for reading and keep on building those skills.