analyzing-malware-persistence-with-autoruns

Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry keys, scheduled tasks, services, drivers, and startup locations on Windows systems.

mukul975/Anthropic-Cybersecurity-Skills|Updated May 25, 2026

Works with

Claude CodeCursorClineWindsurfCodex

Installation Guide

Select your AI agent

How to use analyzing-malware-persistence-with-autoruns on Cursor

AI-first code editor with Composer

Prerequisites

Before installing skills in Cursor, ensure your development environment meets these requirements:

›Cursor installed and configured on your machine
›Node.js 16+ with npm — verify with node --version
›Active project directory where you want to add analyzing-malware-persistence-with-autoruns

Run the install command

Execute the skills CLI command in your project's root directory to begin installation:

$npx skills install mukul975/Anthropic-Cybersecurity-Skills/analyzing-malware-persistence-with-autoruns

Fetches analyzing-malware-persistence-with-autoruns from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.

Select Cursor when prompted

The CLI shows a list of agents. Use arrow keys and space to select Cursor:

◆ Which agents do you want to install to?

│

│ ── Universal (.agents/skills) ────────────────

│ · Cline · Codex · Goose · Windsurf

│ ●Cursor(selected)

│ · Cursor · Aider · Continue

Verify installation

Confirm successful installation by checking the skill directory location:

.cursor/skills/analyzing-malware-persistence-with-autoruns

Restart Cursor to activate analyzing-malware-persistence-with-autoruns. Access via /analyzing-malware-persistence-with-autoruns in your agent's command palette.

⚠

Security Notice

We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.

Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.

›View source on GitHub ›Skills CLI docs ›About Cursor ›What are agent skills?

Documentation

List & Monetize Your Skill

Submit your Claude Code skill and start earning

Get started →

Use Cases

Task Automation & Efficiency

Automate repetitive workflows and reduce manual effort

Example

Generate reports, summarize documents, draft communications

✓

Save 3-5 hours per week on routine tasks

Knowledge Enhancement

Learn new skills, understand complex topics, get expert guidance

Example

Explain concepts, provide examples, suggest learning resources

✓

Accelerate learning and skill development by 2x

Quality Improvement

Enhance output quality through reviews, suggestions, and refinements

Example

Review drafts, suggest improvements, catch errors

✓

Improve work quality by 30-40% with less effort

Overview

Sysinternals Autoruns extracts data from hundreds of Auto-Start Extensibility Points (ASEPs) on Windows, scanning 18+ categories including Run/RunOnce keys, services, scheduled tasks, drivers, Winlogon entries, LSA providers, print monitors, WMI subscriptions, and AppInit DLLs. Digital signature verification filters Microsoft-signed entries. The compare function identifies newly added persistence via baseline diffing. VirusTotal integration checks hash reputation. Offline analysis via -z flag enables forensic disk image examination.

When to Use

When investigating security incidents that require analyzing malware persistence with autoruns

When building detection rules or threat hunting queries for this domain

When SOC analysts need structured procedures for this analysis type

When validating security monitoring coverage for related attack techniques

Workflow

Step 1: Automated Persistence Scanning

#!/usr/bin/env python3 """Automate Autoruns-based persistence analysis.""" import subprocess import csv import json import sys def scan_and_analyze(autorunsc_path="autorunsc64.exe", csv_path="scan.csv"): cmd = [autorunsc_path, "-a", "*", "-c", "-h", "-s", "-nobanner", "*"] result = subprocess.run(cmd, capture_output=True, text=True, timeout=600) with open(csv_path, 'w') as f: f.write(result.stdout) return parse_and_flag(csv_path) def parse_and_flag(csv_path): suspicious = [] with open(csv_path, 'r', errors='replace') as f: for row in csv.DictReader(f): reasons = [] signer = row.get("Signer", "") if not signer or signer == "(Not verified)": reasons.append("Unsigned binary") if not row.get("Description") and not row.get("Company"): reasons.append("Missing metadata") path = row.get("Image Path", "").lower() for sp in ["\temp\\", "\appdata\local\temp", "\users\public\\"]: if sp in path: reasons.append(f"Suspicious path") launch = row.get("Launch String", "").lower() for kw in ["powershell", "cmd /c", "wscript", "mshta", "regsvr32"]: if kw in launch: reasons.append(f"LOLBin: {kw}") if reasons: row["reasons"] = reasons suspicious.append(row) return suspicious if __name__ == "__main__": if len(sys.argv) > 1: results = parse_and_flag(sys.argv[1]) print(f"[!] {len(results)} suspicious entries") for r in results: print(f" {r.get('Entry','')} - {r.get('Image Path','')}") for reason in r.get('reasons', []): print(f" - {reason}")

name	analyzing-malware-persistence-with-autoruns
description	Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry keys, scheduled tasks, services, drivers, and startup locations on Windows systems.
domain	cybersecurity
subdomain	malware-analysis
tags	- autoruns - persistence - malware-analysis - sysinternals - windows - registry - startup - incident-response
mitre_attack	- T1547 - T1053 - T1543 - T1546
version	'1.0'
author	mahipal
license	Apache-2.0
d3fend_techniques	- Executable Denylisting - Execution Isolation - File Metadata Consistency Validation - Content Format Conversion - File Content Analysis
nist_csf	- DE.AE-02 - RS.AN-03 - ID.RA-01 - DE.CM-01

analyzing-malware-persistence-with-autoruns

Installation Guide

How to use analyzing-malware-persistence-with-autoruns on Cursor

Prerequisites

Run the install command

Select Cursor when prompted

Verify installation

Security Notice

Documentation

List & Monetize Your Skill

Use Cases

Task Automation & Efficiency

Knowledge Enhancement

Quality Improvement

Install Skill

Analyzing Malware Persistence with Autoruns

Overview

When to Use

Prerequisites

Workflow

Step 1: Automated Persistence Scanning

Validation Criteria

References

Implementation Guide

Best Practices

When to Use This

Learning Path

Related Skills

implementing-soar-playbook-with-palo-alto-xsoar

analyzing-golang-malware-with-ghidra

performing-cryptographic-audit-of-application

exploiting-deeplink-vulnerabilities

generating-threat-intelligence-reports

analyzing-network-traffic-with-wireshark

Reviews

Discussion