analyzing-malware-persistence-with-autoruns

by mukul975

analyzing-malware-persistence-with-autoruns is a Sysinternals Autoruns skill for malware analysis. It helps you inspect Windows persistence in Run keys, services, scheduled tasks, Winlogon, drivers, and WMI, using a repeatable workflow with CSV exports, suspicious-entry review, and report-ready findings.

Stars0

Favorites0

Comments0

AddedMay 12, 2026

CategoryMalware Analysis

Install Command

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill analyzing-malware-persistence-with-autoruns

Curation Score

This skill scores 78/100, which is solid enough for directory listing. It gives users a credible install decision because the repository includes a real Windows persistence-analysis workflow for Autoruns, with CLI usage, categories, suspicious indicators, and a companion script/reference set that reduces guesswork compared with a generic prompt.

78/100

Strengths

Clear operational focus on malware persistence analysis with Sysinternals Autoruns across registry keys, services, scheduled tasks, drivers, and other ASEPs.
Useful supporting materials: API reference, workflow doc, standards reference, and a Python agent script that signal a concrete analysis approach.
Strong agent leverage from explicit command example, output columns, suspicious indicators, and MITRE/NIST mappings.

Cautions

The skill excerpt does not show a full install command in SKILL.md, so users may need to infer setup or execution steps.
The visible workflow is somewhat template-driven and not fully demonstrated end-to-end in the excerpt, so adoption may require some analyst familiarity with Autoruns and Windows forensics.

Autoruns Sysinternals Persistence Windows Registry Scheduled Tasks Malware

Overview

Overview of analyzing-malware-persistence-with-autoruns skill

What this skill does

The analyzing-malware-persistence-with-autoruns skill helps you use Sysinternals Autoruns to find and interpret Windows persistence artifacts during malware analysis. It is a fit when you need to triage startup locations, spot suspicious autostarts, and turn raw Autoruns output into an incident-response-friendly view.

Who should install it

This analyzing-malware-persistence-with-autoruns skill is most useful for malware analysts, SOC analysts, incident responders, and threat hunters working on Windows systems. It is especially relevant when you already have an Autoruns CSV export or need a repeatable workflow for checking common ASEPs like services, scheduled tasks, Run keys, Winlogon, and WMI.

Why it is different

The repo is not just a generic prompt wrapper. It includes a concrete Autoruns command, a structured report template, reference material, and a small Python agent for parsing and flagging suspicious entries. That makes the analyzing-malware-persistence-with-autoruns guide more decision-useful than a plain “look for persistence” prompt.

How to Use analyzing-malware-persistence-with-autoruns skill

Install and inspect the skill

Run the analyzing-malware-persistence-with-autoruns install command in your skill manager, then open SKILL.md first. For deeper context, read references/api-reference.md for the Autoruns CLI flags, references/workflows.md for the analysis flow, references/standards.md for the security framing, and scripts/agent.py if you want the parsing logic behind the recommendations.

Feed it the right inputs

The skill works best with a focused task plus evidence, not a vague request. Good inputs include the Autoruns CSV export, the target host context, the suspected sample or incident summary, and any known benign software list. For example: “Analyze this Autoruns CSV for persistence linked to a phishing payload; prioritize unsigned entries, LOLBins, and anything under %TEMP% or %ProgramData%.”

Use a workflow that matches the evidence

Start with a CSV export such as autorunsc.exe -a * -c -h -s -v -vt -o autoruns.csv, then review high-risk locations before reading every line. In practice, check Run/RunOnce, services, scheduled tasks, Winlogon, drivers, and WMI subscriptions first, then compare against known-good baselines and digital-signature status. The analyzing-malware-persistence-with-autoruns usage flow is strongest when you ask for ranked suspicious entries plus rationale, not just a list dump.

What to read first in the repo

If you are deciding whether the skill will save time, read assets/template.md to see the expected report structure and references/api-reference.md to understand output fields and suspicious indicators. Then skim scripts/agent.py to see how the skill classifies suspicious paths and command patterns; that helps you align your prompt with the built-in logic.

analyzing-malware-persistence-with-autoruns skill FAQ

Is this only for malware analysis?

No, but analyzing-malware-persistence-with-autoruns for Malware Analysis is the strongest fit. It also works for incident response, persistence hunting, and triage after suspicious logon behavior or post-exploitation activity. It is less useful for general Windows troubleshooting because the skill is tuned for hostile or potentially hostile persistence.

Do I need Autoruns already installed?

Usually yes, or at least access to an Autoruns CSV export. The skill is designed around Autoruns data, especially the columns needed for hashing, signature validation, and VirusTotal context. If you only have a vague suspicion and no endpoint access, the output will be weaker.

How is this better than a normal prompt?

A normal prompt may explain persistence concepts, but this skill gives you a repeatable Autoruns-centered workflow, a report template, and reference-backed analysis cues. That reduces guesswork when you need to justify why an entry is suspicious, not just say that it looks bad.

Is it beginner-friendly?

Yes, if you can identify a Windows host and collect an Autoruns export. Beginners get the most value when they ask for a ranked review of suspicious entries and provide context about what is known versus unknown. Without that, the model may over-focus on noisy but benign startup items.

How to Improve analyzing-malware-persistence-with-autoruns skill

Provide context that narrows the hunt

The best results come from a short incident brief: affected host, time window, suspected malware family, and any observed execution chains. If you know the likely persistence type, say so. For example, “focus on scheduled tasks and Run keys after a suspected loader used PowerShell” is more actionable than “analyze this file.”

Include known-good and known-bad anchors

The analyzing-malware-persistence-with-autoruns skill improves when you provide trusted software, admin tools, and anything already confirmed malicious. This helps the analysis separate noisy enterprise software from true persistence. If you have a baseline Autoruns export from a clean machine, include it for comparison.

Ask for output that matches your next step

Do not stop at “find suspicious entries.” Ask for a table with location, entry name, why it is suspicious, how to validate it, and whether it is likely malicious, benign, or unknown. If you are writing an incident report, request a concise summary plus recommended containment or verification actions. Iterating this way makes the analyzing-malware-persistence-with-autoruns guide much more useful on the second pass than on the first.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

conducting-malware-incident-response

by mukul975

conducting-malware-incident-response helps IR teams triage suspected malware, confirm infections, scope spread, contain endpoints, and support eradication and recovery. It is designed for conducting-malware-incident-response for Incident Response workflows with evidence-backed steps, telemetry-driven decisions, and practical containment guidance.

Incident Response

Favorites 0GitHub 0

analyzing-bootkit-and-rootkit-samples

by mukul975

analyzing-bootkit-and-rootkit-samples is a malware analysis skill for MBR, VBR, UEFI, and rootkit investigations. Use it to inspect boot sectors, firmware modules, and anti-rootkit indicators when compromise persists below the OS layer. It is suited for analysts who need a practical guide, clear workflow, and evidence-based triage for Malware Analysis.

Malware Analysis

Favorites 0GitHub 6.2k

detecting-ransomware-encryption-behavior

by mukul975

detecting-ransomware-encryption-behavior helps defenders spot ransomware-style encryption using entropy analysis, file I/O monitoring, and behavioral heuristics. It is suited for incident response, SOC tuning, and red-team validation when you need to detect mass file changes, rename bursts, and suspicious process activity quickly.

Incident Response

Favorites 0GitHub 0

deobfuscating-javascript-malware

by mukul975

deobfuscating-javascript-malware helps analysts turn heavily obfuscated malicious JavaScript into readable code for malware analysis, phishing pages, web skimmers, droppers, and browser-delivered payloads. Use this deobfuscating-javascript-malware skill for structured deobfuscation, decode tracing, and controlled review when simple minification is not the issue.

Malware Analysis

Favorites 0GitHub 0

analyzing-powershell-empire-artifacts

by mukul975

analyzing-powershell-empire-artifacts skill helps Security Audit teams detect PowerShell Empire artifacts in Windows logs using Script Block Logging, Base64 launcher patterns, stager IOCs, module signatures, and detection references for triage and rule writing.

Security Audit

Favorites 0GitHub 0

detecting-process-injection-techniques

by mukul975

detecting-process-injection-techniques helps analyze suspicious in-memory activity, validate EDR alerts, and identify process hollowing, APC injection, thread hijacking, reflective loading, and classic DLL injection for Security Audit and malware triage.

Security Audit

Favorites 0GitHub 0

analyzing-macro-malware-in-office-documents

by mukul975

analyzing-macro-malware-in-office-documents helps malware analysts inspect malicious VBA in Word, Excel, and PowerPoint files, decode obfuscation, and extract IOCs, execution paths, and payload staging logic for phishing triage, incident response, and document malware analysis.

Malware Analysis

Favorites 0GitHub 0

analyzing-golang-malware-with-ghidra

by mukul975

analyzing-golang-malware-with-ghidra helps analysts reverse engineer Go-compiled malware in Ghidra with workflows for function recovery, string extraction, build metadata, and dependency mapping. The analyzing-golang-malware-with-ghidra skill is useful for malware triage, incident response, and Security Audit tasks that need practical, Go-specific analysis steps.

Security Audit

Favorites 0GitHub 0

analyzing-cobaltstrike-malleable-c2-profiles

by mukul975

analyzing-cobaltstrike-malleable-c2-profiles helps parse Cobalt Strike Malleable C2 profiles into C2 indicators, evasion traits, and detection ideas for malware analysis, threat hunting, and Security Audit workflows. It uses dissect.cobaltstrike and pyMalleableC2 for profile and beacon config analysis.

Security Audit

Favorites 0GitHub 6.2k

analyzing-supply-chain-malware-artifacts

by mukul975

analyzing-supply-chain-malware-artifacts is a malware-analysis skill for tracing trojanized updates, poisoned dependencies, and build-pipeline tampering. Use it to compare trusted and untrusted artifacts, extract indicators, assess compromise scope, and report findings with less guesswork.

Malware Analysis

Favorites 0GitHub 6.1k

analyzing-linux-kernel-rootkits

by mukul975

analyzing-linux-kernel-rootkits helps DFIR and threat-hunting workflows detect Linux kernel rootkits with Volatility3 cross-view checks, rkhunter scans, and /proc vs /sys analysis for hidden modules, hooked syscalls, and tampered kernel structures. It is a practical analyzing-linux-kernel-rootkits guide for forensic triage.

Digital Forensics

Favorites 0GitHub 0

detecting-mimikatz-execution-patterns

by mukul975

detecting-mimikatz-execution-patterns helps analysts detect Mimikatz execution using command-line patterns, LSASS access signals, binary indicators, and memory artifacts. Use this detecting-mimikatz-execution-patterns skill install for Security Audit, hunting, and incident response with templates, references, and workflow guidance.

Security Audit

Favorites 0GitHub 0

analyzing-android-malware-with-apktool

by mukul975

analyzing-android-malware-with-apktool is a static analysis skill for Android APK malware. It uses apktool, jadx, and androguard to unpack apps, inspect manifests and permissions, recover source-like code, and extract suspicious APIs and IOCs for Malware Analysis.

Malware Analysis

Favorites 0GitHub 6.2k

detecting-rootkit-activity

by mukul975

detecting-rootkit-activity is a Malware Analysis skill for finding rootkit indicators such as hidden processes, hooked system calls, altered kernel structures, hidden modules, and covert network artifacts. It uses cross-view comparison and integrity checks to help validate suspicious hosts when standard tools disagree.

Malware Analysis

Favorites 0GitHub 6.2k

detecting-mobile-malware-behavior

by mukul975

The detecting-mobile-malware-behavior skill analyzes suspicious Android and iOS apps for permission abuse, runtime activity, network indicators, and malware-like patterns. Use it for triage, incident response, and detecting-mobile-malware-behavior for Security Audit workflows with evidence-backed mobile analysis.

Security Audit

Favorites 0GitHub 6.1k

analyzing-ransomware-payment-wallets

by mukul975

analyzing-ransomware-payment-wallets is a read-only blockchain-forensics skill for tracing ransomware payment wallets, following fund movement, and clustering related addresses for Security Audit and incident response. Use it when you have a BTC address, tx hash, or suspected wallet and need evidence-backed attribution support.

Security Audit

Favorites 0GitHub 6.1k