-
Notifications
You must be signed in to change notification settings - Fork 521
Autoruns
Please note! This wiki is no longer maintained. Our documentation has moved to https://securityonion.net/docs/. Please update your bookmarks. You can find the latest version of this page at: https://securityonion.net/docs/Autoruns.
From https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx:
This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer and media players. These programs and drivers include ones in your startup folder, Run, RunOnce, and other Registry keys. Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond other autostart utilities.
Currently, our Autoruns dashboard in Kibana works only with Autoruns logs shipped via OSSEC. If you are trying to ship Autoruns logs via Winlogbeat, you can create a custom dashboard and visualizations that reference the logstash-beats-*
indices, or view Autoruns logs via the Beats
dashboard.
Josh Brower developed a great project called Pertinax to normalize autoruns data and integrate it into Security Onion:
https://github.com/defensivedepth/Pertinax/wiki/Introduction
Josh's syslog-ng patterns were merged into Security Onion here:
https://blog.securityonion.net/2016/08/new-elsa-packages-resolve-several-issues.html
Execute autoruns and ar-normalize.ps1 as shown here:
https://github.com/defensivedepth/Pertinax/wiki/Reference%20Architecture
Another method for integrating Autoruns into your logging infrastructure is AutorunsToWinEventLog:
https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog
Download Autoruns here:
https://download.sysinternals.com/files/Autoruns.zip
Download ar-normalize.ps1 here:
https://raw.githubusercontent.com/defensivedepth/Pertinax/master/normalize/ar-normalize.ps1
- Introduction
- Use Cases
- Hardware Requirements
- Release Notes
- Download/Install
- Booting Issues
- After Installation
- UTC and Time Zones
- Services
- VirtualBox Walkthrough
- VMWare Walkthrough
- Videos
- Architecture
- Cheat Sheet
- Conference
- Elastic Stack
- Elastic Architecture
- Elasticsearch
- Logstash
- Kibana
- ElastAlert
- Curator
- FreqServer
- DomainStats
- Docker
- Redis
- Data Fields
- Beats
- Pre-Releases
- ELSA to Elastic
- Network Configuration
- Proxy Configuration
- Firewall/Hardening
- Email Configuration
- Integrating with other systems
- Changing IP Addresses
- NTP
- Managing Alerts
- Managing Rules
- Adding Local Rules
- Disabling Processes
- Filtering with BPF
- Adjusting PF_RING for traffic
- MySQL Tuning
- Adding a new disk
- High Performance Tuning
- Trimming PCAPs