Wazuh and Sysinternals Integration. Part I — Finding Persistent Footholds

Introduction.

Out of all the Microsoft Sysinternals tools, integrating Sysmon with the Wazuh agent is probably the most popular, most implemented option.

The Sysinternals suite though offers other tools that, via their CLI options, can be easily integrated with the Wazuh stack, collecting events and ingesting and evaluating these events in the manager.

In this post we’ll focus on detecting persistent footholds in a Windows machine using the Sysinternals tool “Autoruns”.

Sysinternals — Autoruns

The official Microsoft documentation can be found here.

This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer and media players. These programs and drivers include ones in your startup folder, Run, RunOnce, and other Registry keys.

Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond other autostart utilities.

By running Autoruns UI, it’ll show the currently configured auto-start applications as well as the full list of Registry and file system locations available for auto-start configuration.

Autostart locations displayed by Autoruns include:

• Logon entries
• Explorer add-ons
• Internet Explorer add-ons including Browser Helper Objects (BHOs)
• Appinit DLLs
• Image hijacks
• Boot execute images
• Winlogon notification DLLs
• Windows Services and Winsock Layered Service Providers
• Media codecs
• ….and more.

Autoruns also includes a command-line equivalent (“Autorunsc”)that can output in CSV format.

Sysinternals and Virus Total.

Autoruns and Virus Total hash analysis integration was included in 2015. Sysinternals and Virus Total worked out integration options whereby some tools included in the suite can make API calls to Virus Total to query file hashes and spot malicious files found in drives, references and keys found in the windows registry, etc.

The sysinternals tools leveraging Virus Total file hash scan will manage internally the cadence in the API calls, as a “flow control” mechanism transparent to the user.

Integrating Autoruns and Wazuh Agent.

Full details in our Github repo.

Via Wodle’s command included in Wazuh we can instruct the agents to run periodic autoruns “scans” using its CLI and report back to the manager when any associated hash found in the registry has been flagged in Virus Total, or if its signature is unknown.

This is a valuable option to spot and report on persisting footholds found in the system.

SOCFortress — Persistent Foothold Reports.

Autoruns — Signatures found in Virus Total

Signatures by Software Vendor and Category

Autoruns — Events Details.

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Platform Demo: https://www.socfortress.co/demo_access.html