Skip to content
Branch: master
Find file History
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
AutorunsToWinEventLog.ps1 Fix logic and remove redundancies Dec 4, 2018
Install.ps1 Updating install.ps1 to use TLSv1.2 for Invoke-WebRequest Oct 30, 2018
README.md Initial commit. Sep 5, 2017
Uninstall.ps1

README.md

Autoruns to WinEventLog

What is Autoruns?

Autoruns is a tool developed by Sysinternals that allows you to view all of the locations in Windows where applications can insert themselves to launch at boot or when certain applications are opened. Malware often takes advantages of these locations to ensure that it runs whenever your computer boots up.

More on Autoruns here: https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Installation Instructions

From an Admin Powershell console run .\Install.ps1. This script does the following:

  • Creates the directory structure at c:\Program Files\AutorunsToWinEventLog
  • Copies over AutorunsToWinEventLog.ps1 to that directory
  • Downloads Autorunsc64.exe from https://live.sysinternals.com
  • Sets up a scheduled task to run the script daily @ 11am

If you'd like to run it immediately, open up the scheduled tasks library and launch it from there.

What does AutorunsToWinEventLog do?

Autoruns conveniently includes a non-interactive command line utility. This code generates a CSV of Autoruns entries, converts them to JSON, and finally inserts them into a custom Windows Event Log. By doing this, we can take advantage of our existing WEF infrastructure to get these entries into our SIEM and start looking for signs of malicious persistence on endpoints and servers.

You can’t perform that action at this time.