Upload files to "8 Tools"
This commit is contained in:
70
8 Tools/Autoruns Guide.rtf
Normal file
70
8 Tools/Autoruns Guide.rtf
Normal file
@ -0,0 +1,70 @@
|
||||
{\rtf1\ansi\deff3\adeflang1025
|
||||
{\fonttbl{\f0\froman\fprq2\fcharset0 Times New Roman;}{\f1\froman\fprq2\fcharset2 Symbol;}{\f2\fswiss\fprq2\fcharset0 Arial;}{\f3\froman\fprq2\fcharset0 Liberation Serif{\*\falt Times New Roman};}{\f4\froman\fprq2\fcharset0 Calibri;}{\f5\fswiss\fprq2\fcharset0 Liberation Sans{\*\falt Arial};}{\f6\fnil\fprq2\fcharset0 Microsoft YaHei;}{\f7\fswiss\fprq0\fcharset128 Arial;}{\f8\fnil\fprq2\fcharset0 Arial;}}
|
||||
{\colortbl;\red0\green0\blue0;\red0\green0\blue255;\red0\green255\blue255;\red0\green255\blue0;\red255\green0\blue255;\red255\green0\blue0;\red255\green255\blue0;\red255\green255\blue255;\red0\green0\blue128;\red0\green128\blue128;\red0\green128\blue0;\red128\green0\blue128;\red128\green0\blue0;\red128\green128\blue0;\red128\green128\blue128;\red192\green192\blue192;}
|
||||
{\stylesheet{\s0\snext0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052 Normal;}
|
||||
{\*\cs15\snext15\rtlch\alang255 \ltrch\lang255\langfe255\loch\cf9\lang255\ul\ulc0\dbch\langfe255 Hyperlink;}
|
||||
{\*\cs16\snext16\hich\af4\loch\f4\fs22\b0 ListLabel 1;}
|
||||
{\s17\sbasedon0\snext18\rtlch\af8\afs28 \ltrch\hich\af5\loch\sb240\sa120\keepn\f5\fs28\dbch\af6 Heading;}
|
||||
{\s18\sbasedon0\snext18\loch\sl276\slmult1\sb0\sa140 Text Body;}
|
||||
{\s19\sbasedon18\snext19\rtlch\af7 \ltrch\loch\sl276\slmult1\sb0\sa140 List;}
|
||||
{\s20\sbasedon0\snext20\rtlch\af7\afs24\ai \ltrch\loch\sb120\sa120\noline\fs24\i Caption;}
|
||||
{\s21\sbasedon0\snext21\rtlch\af7\alang255 \ltrch\lang255\langfe255\loch\noline\lang255\dbch\langfe255 Index;}
|
||||
}{\*\listtable{\list\listtemplateid1
|
||||
{\listlevel\levelnfc23\leveljc0\levelstartat0\levelfollow0{\leveltext \'01\u183 ?;}{\levelnumbers;}\f1\loch\fs22\b0\fi0\li0}
|
||||
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow0{\leveltext \'02\'01.;}{\levelnumbers\'01;}\fi-360\li1080}
|
||||
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow0{\leveltext \'02\'02.;}{\levelnumbers\'01;}\fi-360\li1440}
|
||||
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow0{\leveltext \'02\'03.;}{\levelnumbers\'01;}\fi-360\li1800}
|
||||
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow0{\leveltext \'02\'04.;}{\levelnumbers\'01;}\fi-360\li2160}
|
||||
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow0{\leveltext \'02\'05.;}{\levelnumbers\'01;}\fi-360\li2520}
|
||||
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow0{\leveltext \'02\'06.;}{\levelnumbers\'01;}\fi-360\li2880}
|
||||
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow0{\leveltext \'02\'07.;}{\levelnumbers\'01;}\fi-360\li3240}
|
||||
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow0{\leveltext \'02\'08.;}{\levelnumbers\'01;}\fi-360\li3600}\listid1}
|
||||
{\list\listtemplateid2
|
||||
{\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0}
|
||||
{\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0}
|
||||
{\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0}
|
||||
{\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0}
|
||||
{\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0}
|
||||
{\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0}
|
||||
{\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0}
|
||||
{\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0}
|
||||
{\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0}\listid2}
|
||||
}{\listoverridetable{\listoverride\listid1\listoverridecount0\ls1}{\listoverride\listid2\listoverridecount0\ls2}}{\*\generator LibreOffice/7.2.1.2$Windows_X86_64 LibreOffice_project/87b77fad49947c1441b67c559c339af8f3517e22}{\info{\creatim\yr0\mo0\dy0\hr0\min0}{\revtim\yr2021\mo12\dy10\hr9\min1}{\printim\yr0\mo0\dy0\hr0\min0}}{\*\userprops}\deftab720
|
||||
\hyphauto1\viewscale100
|
||||
{\*\pgdsctbl
|
||||
{\pgdsc0\pgdscuse451\pgwsxn12240\pghsxn15840\marglsxn1440\margrsxn1440\margtsxn1440\margbsxn1440\pgdscnxt0 Default Page Style;}}
|
||||
\formshade\paperh15840\paperw12240\margl1440\margr1440\margt1440\margb1440\sectd\sbknone\pgndec\sftnnar\saftnnrlc\sectunlocked1\pgwsxn12240\pghsxn15840\marglsxn1440\margrsxn1440\margtsxn1440\margbsxn1440\ftnbj\ftnstart1\ftnrstcont\ftnnar\aenddoc\aftnrstcont\aftnstart1\aftnnrlc
|
||||
{\*\ftnsep\chftnsep}\pgndec\pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch\sl240\slmult1\ql\sb0\sa200\ltrpar{\hich\af4\loch\fs32\lang1033\b\f4\loch
|
||||
WinEventLog Autoruns}
|
||||
\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch\sl276\slmult1\ql\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\b0\f4\loch
|
||||
Autoruns is a tool developed by Sysinternals that allows you to view all of the locations in Windows where applications can insert themselves to launch at boot or when certain applications are opened. Malware often takes advantages of these locations to ensure that it runs whenever your computer boots up. The script can be downloaded from }{{\field{\*\fldinst HYPERLINK "https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog" }{\fldrslt {\hich\af4\loch\fs22\lang1033\b0\f4\loch
|
||||
https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog}}}}
|
||||
\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch\sl276\slmult1\ql\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\b0\f4\loch
|
||||
More about Autoruns at: }{{\field{\*\fldinst HYPERLINK "https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx" }{\fldrslt {\hich\af4\loch\fs22\lang1033\b0\f4\loch
|
||||
https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx}}}}
|
||||
\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch\sl276\slmult1\ql\sb0\sa200\ltrpar{\hich\af4\loch\fs32\lang1033\b\f4\loch
|
||||
Installation}
|
||||
\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch\sl276\slmult1\ql\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\b0\f4\loch
|
||||
From an }{\hich\af4\loch\fs22\lang1033\ul\ulc0\b0\f4\loch
|
||||
Admin Powershell Console}{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
|
||||
run }{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\highlight16\f4\loch
|
||||
.\\Install.ps1}{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
|
||||
. The script will:}
|
||||
\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch{\listtext\pard\plain \hich\af4\loch\f4\fs22\b0 \u183\'b7\tab}\ilvl0\ls1 \li720\ri0\lin720\rin0\fi0\sl276\slmult1\ql\li720\ri0\lin720\rin0\fi-360\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
|
||||
Create a directory at c:\\Program Files\\AutorunsToWinEventLog to store and forward all logs}
|
||||
\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch{\listtext\pard\plain \hich\af4\loch\f4\fs22\b0 \u183\'b7\tab}\ilvl0\ls1 \li720\ri0\lin720\rin0\fi0\sl276\slmult1\ql\li720\ri0\lin720\rin0\fi-360\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
|
||||
Copy over AutorunsToWinEventLog.ps1 to the same directory}
|
||||
\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch{\listtext\pard\plain \hich\af4\loch\f4\fs22\b0 \u183\'b7\tab}\ilvl0\ls1 \li720\ri0\lin720\rin0\fi0\sl276\slmult1\ql\li720\ri0\lin720\rin0\fi-360\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
|
||||
Download Autorunsc64.exe from }{{\field{\*\fldinst HYPERLINK "https://live.sysinternals.com" }{\fldrslt {\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
|
||||
https://live.sysinternals.com}}}}
|
||||
\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch{\listtext\pard\plain \hich\af4\loch\f4\fs22\b0 \u183\'b7\tab}\ilvl0\ls1 \li720\ri0\lin720\rin0\fi0\sl276\slmult1\ql\li720\ri0\lin720\rin0\fi-360\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
|
||||
Create a scheduled task to run the install }{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
|
||||
s}{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
|
||||
cript daily at 1100}
|
||||
\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch\sl276\slmult1\ql\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
|
||||
To run the task without waiting, open scheduled tasks library and execute it from there.}
|
||||
\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch\sl276\slmult1\ql\sb0\sa200\ltrpar{\hich\af4\loch\fs32\lang1033\ulnone\ulc0\b\f4\loch
|
||||
What Does AutorunsToWinEventLog do}
|
||||
\par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch\sl276\slmult1\ql\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch
|
||||
Autoruns conveniently includes a non-interactive command line utility. This code generates a CSV of Autoruns entries, converts them to JSON, and finally inserts them into a custom Windows Event Log. By doing this, we can take advantage of our existing WEF infrastructure to get these entries into our SIEM and start looking for signs of malicious persistence on endpoints and servers.}
|
||||
\par }
|
||||
Reference in New Issue
Block a user