Stats
Actions
Tags
Analyzes Windows malware persistence using Sysinternals Autoruns, scanning registry keys, scheduled tasks, services, drivers, and startups. Automates suspicious entry detection with Python.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:analyzing-malware-persistence-with-autorunsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Sysinternals Autoruns 从 Windows 上的数百个自动启动扩展点(ASEP)提取数据,扫描 18 个以上类别,包括 Run/RunOnce 键、服务、计划任务、驱动程序、Winlogon 条目、LSA 提供程序、打印监视器、WMI 订阅和 AppInit DLL。数字签名验证过滤 Microsoft 签名条目。比较功能通过基线差异识别新增的持久化机制。VirusTotal 集成检查哈希信誉。通过 -z 标志进行离线分析,支持取证磁盘镜像检查。
Sysinternals Autoruns 从 Windows 上的数百个自动启动扩展点(ASEP)提取数据,扫描 18 个以上类别,包括 Run/RunOnce 键、服务、计划任务、驱动程序、Winlogon 条目、LSA 提供程序、打印监视器、WMI 订阅和 AppInit DLL。数字签名验证过滤 Microsoft 签名条目。比较功能通过基线差异识别新增的持久化机制。VirusTotal 集成检查哈希信誉。通过 -z 标志进行离线分析,支持取证磁盘镜像检查。
#!/usr/bin/env python3
"""自动化基于 Autoruns 的持久化分析。"""
import subprocess
import csv
import json
import sys
def scan_and_analyze(autorunsc_path="autorunsc64.exe", csv_path="scan.csv"):
cmd = [autorunsc_path, "-a", "*", "-c", "-h", "-s", "-nobanner", "*"]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=600)
with open(csv_path, 'w') as f:
f.write(result.stdout)
return parse_and_flag(csv_path)
def parse_and_flag(csv_path):
suspicious = []
with open(csv_path, 'r', errors='replace') as f:
for row in csv.DictReader(f):
reasons = []
signer = row.get("Signer", "")
if not signer or signer == "(Not verified)":
reasons.append("未签名的二进制文件")
if not row.get("Description") and not row.get("Company"):
reasons.append("缺少元数据")
path = row.get("Image Path", "").lower()
for sp in ["\temp\\", "\appdata\local\temp", "\users\public\\"]:
if sp in path:
reasons.append(f"可疑路径")
launch = row.get("Launch String", "").lower()
for kw in ["powershell", "cmd /c", "wscript", "mshta", "regsvr32"]:
if kw in launch:
reasons.append(f"LOLBin:{kw}")
if reasons:
row["reasons"] = reasons
suspicious.append(row)
return suspicious
if __name__ == "__main__":
if len(sys.argv) > 1:
results = parse_and_flag(sys.argv[1])
print(f"[!] {len(results)} 个可疑条目")
for r in results:
print(f" {r.get('Entry','')} - {r.get('Image Path','')}")
for reason in r.get('reasons', []):
print(f" - {reason}")
npx claudepluginhub killvxk/cybersecurity-skills-zhUse Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms on Windows, covering registry keys, scheduled tasks, services, and drivers.
Uses Sysinternals Autoruns to identify and analyze malware persistence on Windows across registry keys, scheduled tasks, services, drivers, and startup locations.
Uses Sysinternals Autoruns to identify and analyze malware persistence on Windows across registry keys, scheduled tasks, services, drivers, and startup locations.