Thursday, 7 March 2019

How to hunt for processes starting from Run RunOnce & Startup folders

In this short post we will be showing you one way on how to use process creation events to detect programs running from:

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • %Appdata%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
  • %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup

This can be useful in situations where you are provided only with process creation events (Sysmon eventid 1 or Windows builtin eventid 4688 or EDR process creation telemetry) and you don't have access to registry values on all machines or you want to be selective into which machine to access directly and use autoruns (sysinternal utility, can be found here) for further analysis (reduce the scope and efforts).

The idea is very simple and straightforward, if a program is spawned by explorer.exe (child process of userinit.exe) or spawned by runonce.exe within the first minute of explorer.exe execution time, then it's likely to be a persistent process and you need to assess it further (VT hash, signature, network connections, timestamps etc.). 

We've inserted into the aforementioned auto-stratup locations a commend of "hello from %startup-loc% plus the one that already existed in the machine, see the below examples:





After rebooting the machine and logging in, we can see the following process creations events sorted by execution time:


As you can see above this can confirm our theory, of looking at adjacent process execution close to the first executed explorer.exe (child of userinit.exe son of ... 😤 ) as well as the child processes of runonce.exe.

Note also that programs starting from HKCU runonce are spawned by explorer.exe while HKLM runonce are spawned by runonce.exe. The time difference between explorer.exe execution and HKCU runonce entries's execution is less than 1 minutes, it could be more if you have more registry or startup folder entries but one can differentiate between processes started manually or automatically (a.k.a a user won't start rundll32.exe, cscript, wmic or cmd.exe within first minutes  of a session startup). 

Example of Log Parser Studio (Excellent Microsoft Log Parsing Utility) query for sysmon process creation eventid 1 (then you will need to sort the result by time and start your analysis from the first explorer.exe execution):

select extract_token(Strings,1,'|') As Time, extract_token(Strings,9,'|') As ProCmdline, extract_token(Strings,20,'|') As Parent FROM 'sysmon.evtx' where EventID=1 and (Parent like '%explorer%' or Parent like '%runonce%' or Parent like '%userinit%')


No comments:

Post a Comment