AutorunsTracking 1.0.0.0012 en
Introduction: AutorunsTracking.xml
Track changes in MS AutoRuns keys easily by tracking registry change date. This is a package-sensor combo.
Written by Charles Chapion - [email protected] Developed for Spectrum Health account - Tam Jason Moras - [email protected]
Content to leverage IR Autoruns content. It will store the autoruns output on a 4 hour interval (by default), compare between the current and previous runs output, and then log the changes to allow for reporting using two sensors.
Download Location
This content is available at: https://content.tanium.com/files/published/AutorunsTracking/2017-03-20_08-34-01_1.0.0.0012-g4b28e50/AutorunsTracking.xml
Usage
To Setup Import AutorunsTracker_Solution.xml (or other built/exported version) Navigate to Scheduled Actions and locate the Deploy Autoruns Tacker Detect Changes action, which comes disabled. Enable it. Wait 8 hours, making changes to autoruns every 4 hours, or make changes and manually deploy the Autoruns Tacker Detect Changes package between changes.
See when the last change was made with:
Get Computer Name and Autoruns Change Last Detected from all machines
or for more detail (better as a drill-down to the previous question):
Get Autoruns Tracker Change Log from all machines
Packages
Autoruns Tracker Delete Data
This package contains 1 files and 0 sensors.
Additional Properties:
- Command Line: cmd /c C:\Windows\System32\cscript.exe /nologo autoruns_deletedata.vbs
- Command Line Timeout: 60
Prompts:
Files:
- autoruns_deletedata.vbs
Autoruns Tracker Generate Change Log
This package contains 1 files and 0 sensors.
Additional Properties:
- Command Line: cmd /c C:\Windows\System32\cscript.exe /nologo autoruns_detectchange.vbs
- Command Line Timeout: 300
Prompts:
Files:
- autoruns_detectchange.vbs
Sensors
Autoruns Tracker Change Log
Columns
Name Type Description Change Detected Text Change Type Text Entry Location Text Entry Text Category Text Profile Text Publisher Text Image Path Text Version Version Launch String Text MD5 Hash Text
Autoruns Change Last Detected
Actions
Deploy Autoruns Tracker Generate Change Log
Packages: