Analyzes Windows malware persistence using Sysinternals Autoruns, scanning registry keys, scheduled tasks, services, drivers, and startups. Automates suspicious entry detection with Python.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
Sysinternals Autoruns 从 Windows 上的数百个自动启动扩展点(ASEP)提取数据,扫描 18 个以上类别,包括 Run/RunOnce 键、服务、计划任务、驱动程序、Winlogon 条目、LSA 提供程序、打印监视器、WMI 订阅和 AppInit DLL。数字签名验证过滤 Microsoft 签名条目。比较功能通过基线差异识别新增的持久化机制。VirusTotal 集成检查哈希信誉。通过 -z 标志进行离线分析,支持取证磁盘镜像检查。
Uses Sysinternals Autoruns to identify and analyze malware persistence on Windows across registry keys, scheduled tasks, services, drivers, and startup locations.
Analyzes Windows malware persistence using Sysinternals Autoruns across registry keys, scheduled tasks, services, drivers, and startup locations. For incident response, threat hunting, and detection rule building.
Investigates malware persistence mechanisms on Windows and Linux systems by enumerating registry keys, services, autoruns, scheduled tasks, and rootkits for incident response, threat hunting, and forensics.
Share bugs, ideas, or general feedback.
Sysinternals Autoruns 从 Windows 上的数百个自动启动扩展点(ASEP)提取数据,扫描 18 个以上类别,包括 Run/RunOnce 键、服务、计划任务、驱动程序、Winlogon 条目、LSA 提供程序、打印监视器、WMI 订阅和 AppInit DLL。数字签名验证过滤 Microsoft 签名条目。比较功能通过基线差异识别新增的持久化机制。VirusTotal 集成检查哈希信誉。通过 -z 标志进行离线分析,支持取证磁盘镜像检查。
#!/usr/bin/env python3
"""自动化基于 Autoruns 的持久化分析。"""
import subprocess
import csv
import json
import sys
def scan_and_analyze(autorunsc_path="autorunsc64.exe", csv_path="scan.csv"):
cmd = [autorunsc_path, "-a", "*", "-c", "-h", "-s", "-nobanner", "*"]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=600)
with open(csv_path, 'w') as f:
f.write(result.stdout)
return parse_and_flag(csv_path)
def parse_and_flag(csv_path):
suspicious = []
with open(csv_path, 'r', errors='replace') as f:
for row in csv.DictReader(f):
reasons = []
signer = row.get("Signer", "")
if not signer or signer == "(Not verified)":
reasons.append("未签名的二进制文件")
if not row.get("Description") and not row.get("Company"):
reasons.append("缺少元数据")
path = row.get("Image Path", "").lower()
for sp in ["\temp\\", "\appdata\local\temp", "\users\public\\"]:
if sp in path:
reasons.append(f"可疑路径")
launch = row.get("Launch String", "").lower()
for kw in ["powershell", "cmd /c", "wscript", "mshta", "regsvr32"]:
if kw in launch:
reasons.append(f"LOLBin:{kw}")
if reasons:
row["reasons"] = reasons
suspicious.append(row)
return suspicious
if __name__ == "__main__":
if len(sys.argv) > 1:
results = parse_and_flag(sys.argv[1])
print(f"[!] {len(results)} 个可疑条目")
for r in results:
print(f" {r.get('Entry','')} - {r.get('Image Path','')}")
for reason in r.get('reasons', []):
print(f" - {reason}")