IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

AutorunsTracking 1.0.0.0012

From Tanium Knowledge Base
Jump to navigation Jump to search


Introduction: AutorunsTracking.xml

Track changes in MS AutoRuns keys easily by tracking registry change date. This is a package-sensor combo.

Written by Charles Chapion - [email protected] Developed for Spectrum Health account - Tam Jason Moras - [email protected]

Content to leverage IR Autoruns content. It will store the autoruns output on a 4 hour interval (by default), compare between the current and previous runs output, and then log the changes to allow for reporting using two sensors.


Download Location

This content is available at: https://content.tanium.com/files/published/AutorunsTracking/2017-03-20_08-34-01_1.0.0.0012-g4b28e50/AutorunsTracking.xml

Usage

To Setup Import AutorunsTracker_Solution.xml (or other built/exported version) Navigate to Scheduled Actions and locate the Deploy Autoruns Tacker Detect Changes action, which comes disabled. Enable it. Wait 8 hours, making changes to autoruns every 4 hours, or make changes and manually deploy the Autoruns Tacker Detect Changes package between changes.


See when the last change was made with: Get Computer Name and Autoruns Change Last Detected from all machines or for more detail (better as a drill-down to the previous question): Get Autoruns Tracker Change Log from all machines


Packages

Autoruns Tracker Delete Data

This package contains 1 files and 0 sensors.

Additional Properties:

  • Command Line: cmd /c C:\Windows\System32\cscript.exe /nologo autoruns_deletedata.vbs
  • Command Line Timeout: 60

Prompts:

Files:

  • autoruns_deletedata.vbs

Autoruns Tracker Generate Change Log

This package contains 1 files and 0 sensors.

Additional Properties:

  • Command Line: cmd /c C:\Windows\System32\cscript.exe /nologo autoruns_detectchange.vbs
  • Command Line Timeout: 300

Prompts:

Files:

  • autoruns_detectchange.vbs

Sensors

Autoruns Tracker Change Log

Columns

Name Type Description
Change Detected Text
Change Type Text
Entry Location Text
Entry Text
Category Text
Profile Text
Publisher Text
Image Path Text
Version Version
Launch String Text
MD5 Hash Text

Autoruns Change Last Detected

Actions

Deploy Autoruns Tracker Generate Change Log


Packages: