Sysinternals Autoruns is a great utility for defenders to discover and disable malware and adversaries’ persistence points. There are similar programs, but as the author of Autoruns says: “(Autoruns) has the most comprehensive knowledge of auto-starting locations “, therefore the focus here is on Autoruns.
In the last weeks couple of security researches (Kyle – @KyleHanslovan, Chris – @ChrisBisnett, HASHEREZADE @hasherezade) have discovered that it’s possible to evade from Autoruns when using it with a default configuration. Always remember that determined attackers will work actively on hiding their activities within your network.
To better understand these techniques, we can use two categories “Direct manipulation” and “Indirect manipulation”. Read this article to better understand these categories.