Detecting persistency of malicious software through a centralized monitoring system such as IBM QRadar can be a challenge as the straightforward solution of monitoring scheduled tasks through Windows Security Logs does not provide the information to determine the legitimacy of a newly created scheduled task running a process on the environment.
To detect possible malicious persistency on an endpoint device, Windows released “Autoruns.”
Autoruns has the most comprehensive knowledge of auto-starting locations of any startup monitor which shows you what programs are configured to run during system bootup or login. This utility also calculates hashes of each startup process and can cross-reference those hashes against Virus-Total to determine the public reputation of each start-up process.
Even though Autoruns is great for onsite investigations, it does not scale well as it does not generate a log file and does not contribute to the Windows security event logs.
For Autoruns to create an ingestible log, we are going to need to use a script called: AutorunsToWinEventLog.
Autoruns conveniently includes a non-interactive command line utility. This code generates a CSV of Autoruns entries, converts them to JSON, and finally inserts them into a custom Windows Event Log. By doing this, we can take advantage of our existing WEF infrastructure to get these entries into our SIEM and start looking for signs of malicious persistence on endpoints and servers.
1. Obtain AutorunsToWinEventLog from https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog
2. Run the following command from an admin PowerShell console:
The script will do the following by default:
Since it’s a PowerShell script, it can be modified with a very basic knowledge of programming.
3. Check the Windows event viewer after running the script.
As you can see in the above picture, you have Autoruns under Applications and Services Logs.
4. Once Autoruns saves the logs in the local Windows event viewer, we can use a wincollect agent with the following X-Path query to pull that information and send it over to Qradar:
<Query Id="0" Path=" Autoruns ">
5. Manually create parsers for the logs that arrive as "unknown" through your Windows event viewer (As these are not supported by IBM DSMs).
That’s it! The autoruns data will be fed into your QRadar environment automatically, and you’ll be able to detect persistent threats.
We recently held an exclusive roundtable at IBM's Israel HQ...
In today’s threat landscape, security teams are facing an influx...
Impacted Products This vulnerability affects versions 8.0, 8.1, 8.5, and...