Volatility autoruns plugin

Finding persistence points (also called Auto-Start Extensibility Points, or ASEPs) is a recurring task of any investigation potentially involving malware.

Checking for persistence is relatively easy when you have a forensic copy of the hard-drive: tools such as Sysinternal’s Autoruns (and its lesser-known ability to analyze offline systems by manually selecting registry hives) or regripper and its user_run and soft_run plugins all do the job perfectly.

When all you have is a live memory dump and your trusty Volatility framework, things get a little more tedious since you have to play around with printkey to display every possible Run or Service key. The svcscan plugin can come in handy but it won’t tell you which DLL the service is hosting or when was the service created.

Plugin features

To make an analyst’s life a bit easier, I came up with the autoruns plugin. autoruns basically automates most of the tasks you would need to run when trying to find out where malware is persisting from. Once all the autostart locations are found, they are matched with running processes in memory.

Today, the plugin goes through:

Besides listing all these persistence points and their corresponding values, the plugin will match them with a running process. This is particularly useful to:

How-to

The plugin is pretty straightforward to use. The folder where the plugin is located should be passed on to Volatility using the --plugins= parameter.

Relevant options for the plugin are:

Sample plugin output:

Roadmap

I plan on including some more ASEPs like Scheduled tasks (done!) and Startup folders. If you see any other way than going through the MFT, please do let me know!

I also plan on extending support to OS X and hopefully Linux.

Since the plugin needs to parse a lot of registry keys, it can take a while to run (it took approximately 3 minutes to do all the checks on the memory sample I tested it on).

Details and download

The plugin has its own GitHub repo. Check the README there for more details on the specific checks that are made.

It was tested with Volatility 2.4 on several of the memory samples available here.