I would like to be able to detect when anything new is added that will automatically start. The only solution I know of is to compare autorun results, from time to time. This, however, is too cumbersome, and is prone to human error, due to the number of items that are listed by autoruns (too difficult to identify new items). Is there a tool that can alert you whenever a new item is added? ...By that, I mean, any new item that Windows will run automatically. It would be great to be able to review every new item, and do so as soon as that item gets added to any auto-start part of Windows. Granted, it would not help with the Global Flags, Start Process Exit feature that is reviewed in this video. That aside, it would still be a great help to catch every new start-up item, and catch it right away. Thank you.
Good question -- not that I'm aware. Diffing Autoruns output would be my first thought as well, but you may be able to leverage Sysmon with some custom filters to accomplish this.
Greetings, Due to your area of expertise, you likely run in social circles with folks that have the skills to create the tool -- or perhaps if you do not know someone directly, your contacts might know folks that can create such a tool (or know if one exists). Your reply, above, was appreciated, and your videos are very good. Cheers!
Great video as usual. Some time ago i have found oddvar's article and i did update my forensics tools ;-) ... one of them is here: github.com/wit0k/regparser/blob/master/plugins/autoruns.py (but it's meant to be used on offline registry hives only)
@@13Cubed ya, I know. I just wanted to know how I would create a fake evil.exe file, like yours, where it would only display a message. I found out how to do it. Another question I have is, how would I install the commands in the command line of my victim if it requires admin privileges. I setup a victim laptop in my test environment and I'm able to create a session using an exploit, which allows me to access my victims laptop(my own), but when I try to use those 3 commands, it fails saying that I don't have privileges(which I figured it would). My victim laptop runs windows 10.
hdawg12 Yes, as you noted this does require local admin privileges. You would have to use some other exploit to attempt privilege escalation on the target. In this case you are modifying HKLM, not HKCU (hence the admin requirement).
@@13Cubed , ya thats what I figured. So once I find an exploit that give me admin privileges, I would use this method to install a backdoor payload in my Victim(which is my own laptop) allowing me access whenever my Victim turns on his laptop, correct?
hdawg12 In theory that’s how a malicious actor would exploit this, yes. My normal disclaimer applies - only do this in a lab environment, and only with proper permission. :)
Thanks for keeping it free. God bless you.
Will donate on patreon.
IKR
Great video, thank you for sharing.
Great Video , Thanks a lot
Great video, thanks Sir
great explanation sir, but i have a question where i have to look for new persistence mechanism?
Does the evil.exe running example only work with notepad.exe?
No, that was just the example used.
Another hit
thank you !!!!
Great video, thanks a lot 👍
very cool!! but how i hook my win10 for hide process and netstat connections? send please
Would a hidden or deleted scheduled task show up in autoruns?
Deleted, no -- hidden, maybe -- depends on how it was hidden. See "The Case of the Disappearing Scheduled Task" episode.
I would like to be able to detect when anything new is added that will automatically start.
The only solution I know of is to compare autorun results, from time to time.
This, however, is too cumbersome, and is prone to human error, due to the number of items that are listed by autoruns (too difficult to identify new items).
Is there a tool that can alert you whenever a new item is added? ...By that, I mean, any new item that Windows will run automatically.
It would be great to be able to review every new item, and do so as soon as that item gets added to any auto-start part of Windows.
Granted, it would not help with the Global Flags, Start Process Exit feature that is reviewed in this video. That aside, it would still be a great help to catch every new start-up item, and catch it right away.
Thank you.
Good question -- not that I'm aware. Diffing Autoruns output would be my first thought as well, but you may be able to leverage Sysmon with some custom filters to accomplish this.
Greetings,
Due to your area of expertise, you likely run in social circles with folks that have the skills to create the tool -- or perhaps if you do not know someone directly, your contacts might know folks that can create such a tool (or know if one exists).
Your reply, above, was appreciated, and your videos are very good.
Cheers!
very cool!! but how i hook my win10 for hide process and netstat connections? send please
How we can remove the silent process exit because its not show up in the Registery
Not sure I understand your question?
Great video as usual. Some time ago i have found oddvar's article and i did update my forensics tools ;-) ... one of them is here: github.com/wit0k/regparser/blob/master/plugins/autoruns.py (but it's meant to be used on offline registry hives only)
Nice - thanks!
@@13Cubed very cool!! but how i hook my win10 for hide process and netstat connections? send please
where do I go to create the evil.exe file
That was just an example. In real life, if this were to be abused, evil.exe would presumably be some type of malware.
@@13Cubed ya, I know. I just wanted to know how I would create a fake evil.exe file, like yours, where it would only display a message. I found out how to do it. Another question I have is, how would I install the commands in the command line of my victim if it requires admin privileges. I setup a victim laptop in my test environment and I'm able to create a session using an exploit, which allows me to access my victims laptop(my own), but when I try to use those 3 commands, it fails saying that I don't have privileges(which I figured it would). My victim laptop runs windows 10.
hdawg12 Yes, as you noted this does require local admin privileges. You would have to use some other exploit to attempt privilege escalation on the target. In this case you are modifying HKLM, not HKCU (hence the admin requirement).
@@13Cubed , ya thats what I figured. So once I find an exploit that give me admin privileges, I would use this method to install a backdoor payload in my Victim(which is my own laptop) allowing me access whenever my Victim turns on his laptop, correct?
hdawg12 In theory that’s how a malicious actor would exploit this, yes. My normal disclaimer applies - only do this in a lab environment, and only with proper permission. :)