How To Detect Advanced Persistent Threats in QRadar

Detecting persistency of malicious software through a centralized monitoring system such as IBM QRadar can be a challenge as the straightforward solution of monitoring scheduled tasks through Windows Security Logs does not provide the information to determine the legitimacy of a newly created scheduled task running a process on the environment.

To detect possible malicious persistency on an endpoint device, Windows released “Autoruns.”

Autoruns has the most comprehensive knowledge of auto-starting locations of any startup monitor which shows you what programs are configured to run during system bootup or login. This utility also calculates hashes of each startup process and can cross-reference those hashes against Virus-Total to determine the public reputation of each start-up process.
Even though Autoruns is great for onsite investigations, it does not scale well as it does not generate a log file and does not contribute to the Windows security event logs.

For Autoruns to create an ingestible log, we are going to need to use a script called: AutorunsToWinEventLog.

What does AutorunsToWinEventLog do?

Autoruns conveniently includes a non-interactive command line utility. This code generates a CSV of Autoruns entries, converts them to JSON, and finally inserts them into a custom Windows Event Log. By doing this, we can take advantage of our existing WEF infrastructure to get these entries into our SIEM and start looking for signs of malicious persistence on endpoints and servers.

Steps Required:

1. Obtain AutorunsToWinEventLog from https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog

2. Run the following command from an admin PowerShell console:


The script will do the following by default:

  • Creates the directory structure at c:Program FilesAutorunsToWinEventLog
  • Copies over AutorunsToWinEventLog.ps1 to that directory
  • Downloads Autorunsc64.exe from https://live.sysinternals.com
  • Sets up a scheduled task to run the script daily @ 11am

Since it’s a PowerShell script, it can be modified with a very basic knowledge of programming.

3. Check the Windows event viewer after running the script.

As you can see in the above picture, you have Autoruns under Applications and Services Logs.

4. Once Autoruns saves the logs in the local Windows event viewer, we can use a wincollect agent with the following X-Path query to pull that information and send it over to Qradar:


<Query Id="0" Path=" Autoruns ">

<Select Path="Autoruns">*</Select>



5. Manually create parsers for the logs that arrive as "unknown" through your Windows event viewer (As these are not supported by IBM DSMs).

That’s it! The autoruns data will be fed into your QRadar environment automatically, and you’ll be able to detect persistent threats.

About qmasters

QMasters was founded in 2015 to help Israeli governmental, military, niche security, and municipality offices protect themselves from cyber-attacks. As the cyber security threats grow year after year, so does our list of customers. We are a team of 30+ security experts committed to solving security challenges with the right combination of strategies and technologies.

you might also like:

FortiOS Flaw Exploited as Zero-Day in Attacks

On December 12, Fortinet reported on a heap-based buffer overflow...

תגובה לאירועי אבטחה – Incident Response

לא משנה כמה חזקה ההגנה שלנו תהיה, לפעמים דברים ישתבשו...

ClearPass Vulnerability Alert

Aruba has informed us about a new security advisory for...

VIDEO: Carbon Black Webinar - Investigating an Incident

This video link has expired. Please contact Michelle at [email protected]...

1 2 3 6

Join our newsletter!


linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram