Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

killvxk/analyzing-malware-persistence-with-autoruns

Name: analyzing-malware-persistence-with-autoruns
Author: killvxk

skills/analyzing-malware-persistence-with-autoruns/SKILL.md

npx skillsauth add killvxk/cybersecurity-skills-zh analyzing-malware-persistence-with-autoruns

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

使用 Autoruns 分析恶意软件持久化

概述

Sysinternals Autoruns 从 Windows 上的数百个自动启动扩展点（ASEP）提取数据，扫描 18 个以上类别，包括 Run/RunOnce 键、服务、计划任务、驱动程序、Winlogon 条目、LSA 提供程序、打印监视器、WMI 订阅和 AppInit DLL。数字签名验证过滤 Microsoft 签名条目。比较功能通过基线差异识别新增的持久化机制。VirusTotal 集成检查哈希信誉。通过 -z 标志进行离线分析，支持取证磁盘镜像检查。

前置条件

Sysinternals Autoruns（GUI）和 Autorunsc（CLI）
目标系统上的管理员权限
Python 3.9+，用于自动化分析
VirusTotal API 密钥，用于信誉检查
干净的基线导出，用于比对

操作步骤

步骤 1：自动化持久化扫描

#!/usr/bin/env python3
"""自动化基于 Autoruns 的持久化分析。"""
import subprocess
import csv
import json
import sys


def scan_and_analyze(autorunsc_path="autorunsc64.exe", csv_path="scan.csv"):
    cmd = [autorunsc_path, "-a", "*", "-c", "-h", "-s", "-nobanner", "*"]
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=600)
    with open(csv_path, 'w') as f:
        f.write(result.stdout)
    return parse_and_flag(csv_path)


def parse_and_flag(csv_path):
    suspicious = []
    with open(csv_path, 'r', errors='replace') as f:
        for row in csv.DictReader(f):
            reasons = []
            signer = row.get("Signer", "")
            if not signer or signer == "(Not verified)":
                reasons.append("未签名的二进制文件")
            if not row.get("Description") and not row.get("Company"):
                reasons.append("缺少元数据")
            path = row.get("Image Path", "").lower()
            for sp in ["\temp\\", "\appdata\local\temp", "\users\public\\"]:
                if sp in path:
                    reasons.append(f"可疑路径")
            launch = row.get("Launch String", "").lower()
            for kw in ["powershell", "cmd /c", "wscript", "mshta", "regsvr32"]:
                if kw in launch:
                    reasons.append(f"LOLBin：{kw}")
            if reasons:
                row["reasons"] = reasons
                suspicious.append(row)
    return suspicious


if __name__ == "__main__":
    if len(sys.argv) > 1:
        results = parse_and_flag(sys.argv[1])
        print(f"[!] {len(results)} 个可疑条目")
        for r in results:
            print(f"  {r.get('Entry','')} - {r.get('Image Path','')}")
            for reason in r.get('reasons', []):
                print(f"    - {reason}")

验证标准

扫描并记录所有 ASEP 类别
标记未签名条目以供调查
突出显示可疑路径和 LOLBin 启动字符串
基线比较识别新的持久化机制

参考资料

Sysinternals Autoruns
SANS - 重新审视离线 Autoruns
使用 Autoruns 猎捕恶意软件
MITRE ATT&CK T1547 - 启动或登录自动启动

killvxk/analyzing-malware-persistence-with-autoruns

skills/analyzing-malware-persistence-with-autoruns/SKILL.md

使用 Sysinternals Autoruns 系统化识别和分析 Windows 系统上注册表键、计划任务、服务、驱动程序和启动位置中的恶意软件持久化机制。

9 stars

tools

Updated Apr 16, 2026

$ install --global

skillsauth

npx skillsauth add killvxk/cybersecurity-skills-zh analyzing-malware-persistence-with-autoruns

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 16, 2026, 10:48 PM8.9s6 files scanned

SKILL.md

name:: analyzing-malware-persistence-with-autoruns
description:: 使用 Sysinternals Autoruns 系统化识别和分析 Windows 系统上注册表键、计划任务、服务、驱动程序和启动位置中的恶意软件持久化机制。
domain:: cybersecurity
subdomain:: malware-analysis
tags:: [autoruns, persistence, malware-analysis, sysinternals, windows, registry, startup, incident-response]
version:: 1.0
author:: mahipal
license:: Apache-2.0

使用 Autoruns 分析恶意软件持久化

概述

前置条件

Sysinternals Autoruns（GUI）和 Autorunsc（CLI）
目标系统上的管理员权限
Python 3.9+，用于自动化分析
VirusTotal API 密钥，用于信誉检查
干净的基线导出，用于比对

操作步骤

步骤 1：自动化持久化扫描

#!/usr/bin/env python3
"""自动化基于 Autoruns 的持久化分析。"""
import subprocess
import csv
import json
import sys


def scan_and_analyze(autorunsc_path="autorunsc64.exe", csv_path="scan.csv"):
    cmd = [autorunsc_path, "-a", "*", "-c", "-h", "-s", "-nobanner", "*"]
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=600)
    with open(csv_path, 'w') as f:
        f.write(result.stdout)
    return parse_and_flag(csv_path)


def parse_and_flag(csv_path):
    suspicious = []
    with open(csv_path, 'r', errors='replace') as f:
        for row in csv.DictReader(f):
            reasons = []
            signer = row.get("Signer", "")
            if not signer or signer == "(Not verified)":
                reasons.append("未签名的二进制文件")
            if not row.get("Description") and not row.get("Company"):
                reasons.append("缺少元数据")
            path = row.get("Image Path", "").lower()
            for sp in ["\temp\\", "\appdata\local\temp", "\users\public\\"]:
                if sp in path:
                    reasons.append(f"可疑路径")
            launch = row.get("Launch String", "").lower()
            for kw in ["powershell", "cmd /c", "wscript", "mshta", "regsvr32"]:
                if kw in launch:
                    reasons.append(f"LOLBin：{kw}")
            if reasons:
                row["reasons"] = reasons
                suspicious.append(row)
    return suspicious


if __name__ == "__main__":
    if len(sys.argv) > 1:
        results = parse_and_flag(sys.argv[1])
        print(f"[!] {len(results)} 个可疑条目")
        for r in results:
            print(f"  {r.get('Entry','')} - {r.get('Image Path','')}")
            for reason in r.get('reasons', []):
                print(f"    - {reason}")

验证标准

扫描并记录所有 ASEP 类别
标记未签名条目以供调查
突出显示可疑路径和 LOLBin 启动字符串
基线比较识别新的持久化机制

参考资料

Sysinternals Autoruns
SANS - 重新审视离线 Autoruns
使用 Autoruns 猎捕恶意软件
MITRE ATT&CK T1547 - 启动或登录自动启动

Related Skills

killvxk/conducting-social-engineering-penetration-test

testing

VerifiedTrustedCommunity

设计并执行社会工程学渗透测试，包括钓鱼、语音钓鱼、短信钓鱼和物理借口活动，以衡量人员安全韧性并识别培训差距。

10SKILL.mdUpdated Apr 29, 2026

killvxk/conducting-social-engineering-penetration-test

killvxk/conducting-post-incident-lessons-learned

testing

VerifiedTrustedCommunity

主持结构化的事件后审查，以识别根本原因、记录有效和无效的措施，并提出可操作的改进建议以提升未来的事件响应能力。

10SKILL.mdUpdated Apr 29, 2026

killvxk/conducting-post-incident-lessons-learned

killvxk/conducting-phishing-incident-response

testing

VerifiedTrustedCommunity

通过分析举报的邮件、提取指标、评估凭据受攻陷情况、在全组织范围隔离恶意邮件并修复受影响账号来响应网络钓鱼事件。涵盖邮件头分析、URL/附件沙箱检测和邮箱范围清除操作。适用于网络钓鱼响应、邮件事件、凭据钓鱼、鱼叉式网络钓鱼调查或钓鱼修复相关请求。

10SKILL.mdUpdated Apr 29, 2026

killvxk/conducting-phishing-incident-response

killvxk/conducting-pass-the-ticket-attack

tools

VerifiedTrustedCommunity

票据传递（Pass-the-Ticket，PtT）是一种横向移动技术，使用窃取的 Kerberos 票据（TGT 或 TGS）在不知道用户密码的情况下向服务进行认证。通过从已控制的主机内存中提取 Kerberos 票据，攻击者可以将这些票据注入自己的会话以模拟票据所有者。

10SKILL.mdUpdated Apr 29, 2026

killvxk/conducting-pass-the-ticket-attack

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/killvxk/cybersecurity-skills-zh.git

# Copy into Claude Code skills folder (global)
cp -r cybersecurity-skills-zh/skills/analyzing-malware-persistence-with-autoruns ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

killvxk/cybersecurity-skills-zh

9 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT