{\rtf1\ansi\deff3\adeflang1025 {\fonttbl{\f0\froman\fprq2\fcharset0 Times New Roman;}{\f1\froman\fprq2\fcharset2 Symbol;}{\f2\fswiss\fprq2\fcharset0 Arial;}{\f3\froman\fprq2\fcharset0 Liberation Serif{\*\falt Times New Roman};}{\f4\froman\fprq2\fcharset0 Calibri;}{\f5\fswiss\fprq2\fcharset0 Liberation Sans{\*\falt Arial};}{\f6\fnil\fprq2\fcharset0 Microsoft YaHei;}{\f7\fswiss\fprq0\fcharset128 Arial;}{\f8\fnil\fprq2\fcharset0 Arial;}} {\colortbl;\red0\green0\blue0;\red0\green0\blue255;\red0\green255\blue255;\red0\green255\blue0;\red255\green0\blue255;\red255\green0\blue0;\red255\green255\blue0;\red255\green255\blue255;\red0\green0\blue128;\red0\green128\blue128;\red0\green128\blue0;\red128\green0\blue128;\red128\green0\blue0;\red128\green128\blue0;\red128\green128\blue128;\red192\green192\blue192;} {\stylesheet{\s0\snext0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052 Normal;} {\*\cs15\snext15\rtlch\alang255 \ltrch\lang255\langfe255\loch\cf9\lang255\ul\ulc0\dbch\langfe255 Hyperlink;} {\*\cs16\snext16\hich\af4\loch\f4\fs22\b0 ListLabel 1;} {\s17\sbasedon0\snext18\rtlch\af8\afs28 \ltrch\hich\af5\loch\sb240\sa120\keepn\f5\fs28\dbch\af6 Heading;} {\s18\sbasedon0\snext18\loch\sl276\slmult1\sb0\sa140 Text Body;} {\s19\sbasedon18\snext19\rtlch\af7 \ltrch\loch\sl276\slmult1\sb0\sa140 List;} {\s20\sbasedon0\snext20\rtlch\af7\afs24\ai \ltrch\loch\sb120\sa120\noline\fs24\i Caption;} {\s21\sbasedon0\snext21\rtlch\af7\alang255 \ltrch\lang255\langfe255\loch\noline\lang255\dbch\langfe255 Index;} }{\*\listtable{\list\listtemplateid1 {\listlevel\levelnfc23\leveljc0\levelstartat0\levelfollow0{\leveltext \'01\u183 ?;}{\levelnumbers;}\f1\loch\fs22\b0\fi0\li0} {\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow0{\leveltext \'02\'01.;}{\levelnumbers\'01;}\fi-360\li1080} {\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow0{\leveltext \'02\'02.;}{\levelnumbers\'01;}\fi-360\li1440} {\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow0{\leveltext \'02\'03.;}{\levelnumbers\'01;}\fi-360\li1800} {\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow0{\leveltext \'02\'04.;}{\levelnumbers\'01;}\fi-360\li2160} {\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow0{\leveltext \'02\'05.;}{\levelnumbers\'01;}\fi-360\li2520} {\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow0{\leveltext \'02\'06.;}{\levelnumbers\'01;}\fi-360\li2880} {\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow0{\leveltext \'02\'07.;}{\levelnumbers\'01;}\fi-360\li3240} {\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow0{\leveltext \'02\'08.;}{\levelnumbers\'01;}\fi-360\li3600}\listid1} {\list\listtemplateid2 {\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0} {\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0} {\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0} {\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0} {\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0} {\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0} {\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0} {\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0} {\listlevel\levelnfc255\leveljc0\levelstartat1\levelfollow2{\leveltext \'00;}{\levelnumbers;}\fi0\li0}\listid2} }{\listoverridetable{\listoverride\listid1\listoverridecount0\ls1}{\listoverride\listid2\listoverridecount0\ls2}}{\*\generator LibreOffice/7.2.1.2$Windows_X86_64 LibreOffice_project/87b77fad49947c1441b67c559c339af8f3517e22}{\info{\creatim\yr0\mo0\dy0\hr0\min0}{\revtim\yr2021\mo12\dy10\hr9\min1}{\printim\yr0\mo0\dy0\hr0\min0}}{\*\userprops}\deftab720 \hyphauto1\viewscale100 {\*\pgdsctbl {\pgdsc0\pgdscuse451\pgwsxn12240\pghsxn15840\marglsxn1440\margrsxn1440\margtsxn1440\margbsxn1440\pgdscnxt0 Default Page Style;}} \formshade\paperh15840\paperw12240\margl1440\margr1440\margt1440\margb1440\sectd\sbknone\pgndec\sftnnar\saftnnrlc\sectunlocked1\pgwsxn12240\pghsxn15840\marglsxn1440\margrsxn1440\margtsxn1440\margbsxn1440\ftnbj\ftnstart1\ftnrstcont\ftnnar\aenddoc\aftnrstcont\aftnstart1\aftnnrlc {\*\ftnsep\chftnsep}\pgndec\pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch\sl240\slmult1\ql\sb0\sa200\ltrpar{\hich\af4\loch\fs32\lang1033\b\f4\loch WinEventLog Autoruns} \par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch\sl276\slmult1\ql\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\b0\f4\loch Autoruns is a tool developed by Sysinternals that allows you to view all of the locations in Windows where applications can insert themselves to launch at boot or when certain applications are opened. Malware often takes advantages of these locations to ensure that it runs whenever your computer boots up. The script can be downloaded from }{{\field{\*\fldinst HYPERLINK "https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog" }{\fldrslt {\hich\af4\loch\fs22\lang1033\b0\f4\loch https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog}}}} \par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch\sl276\slmult1\ql\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\b0\f4\loch More about Autoruns at: }{{\field{\*\fldinst HYPERLINK "https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx" }{\fldrslt {\hich\af4\loch\fs22\lang1033\b0\f4\loch https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx}}}} \par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch\sl276\slmult1\ql\sb0\sa200\ltrpar{\hich\af4\loch\fs32\lang1033\b\f4\loch Installation} \par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch\sl276\slmult1\ql\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\b0\f4\loch From an }{\hich\af4\loch\fs22\lang1033\ul\ulc0\b0\f4\loch Admin Powershell Console}{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch run }{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\highlight16\f4\loch .\\Install.ps1}{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch . The script will:} \par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch{\listtext\pard\plain \hich\af4\loch\f4\fs22\b0 \u183\'b7\tab}\ilvl0\ls1 \li720\ri0\lin720\rin0\fi0\sl276\slmult1\ql\li720\ri0\lin720\rin0\fi-360\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch Create a directory at c:\\Program Files\\AutorunsToWinEventLog to store and forward all logs} \par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch{\listtext\pard\plain \hich\af4\loch\f4\fs22\b0 \u183\'b7\tab}\ilvl0\ls1 \li720\ri0\lin720\rin0\fi0\sl276\slmult1\ql\li720\ri0\lin720\rin0\fi-360\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch Copy over AutorunsToWinEventLog.ps1 to the same directory} \par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch{\listtext\pard\plain \hich\af4\loch\f4\fs22\b0 \u183\'b7\tab}\ilvl0\ls1 \li720\ri0\lin720\rin0\fi0\sl276\slmult1\ql\li720\ri0\lin720\rin0\fi-360\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch Download Autorunsc64.exe from }{{\field{\*\fldinst HYPERLINK "https://live.sysinternals.com" }{\fldrslt {\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch https://live.sysinternals.com}}}} \par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch{\listtext\pard\plain \hich\af4\loch\f4\fs22\b0 \u183\'b7\tab}\ilvl0\ls1 \li720\ri0\lin720\rin0\fi0\sl276\slmult1\ql\li720\ri0\lin720\rin0\fi-360\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch Create a scheduled task to run the install }{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch s}{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch cript daily at 1100} \par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch\sl276\slmult1\ql\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch To run the task without waiting, open scheduled tasks library and execute it from there.} \par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch\sl276\slmult1\ql\sb0\sa200\ltrpar{\hich\af4\loch\fs32\lang1033\ulnone\ulc0\b\f4\loch What Does AutorunsToWinEventLog do} \par \pard\plain \s0\rtlch\af8\afs24\alang1081 \ltrch\lang1033\langfe2052\hich\af3\loch\nowidctlpar\hyphpar0\ltrpar\cf0\f3\fs24\lang1033\kerning1\dbch\af9\langfe2052\loch\sl276\slmult1\ql\sb0\sa200\ltrpar{\hich\af4\loch\fs22\lang1033\ulnone\ulc0\b0\f4\loch Autoruns conveniently includes a non-interactive command line utility. This code generates a CSV of Autoruns entries, converts them to JSON, and finally inserts them into a custom Windows Event Log. By doing this, we can take advantage of our existing WEF infrastructure to get these entries into our SIEM and start looking for signs of malicious persistence on endpoints and servers.} \par }