Integrating Autoruns with Security Onion

I recently presented “Uncovering Persistence With Autoruns & Security Onion” at the 2016 Security Onion Conference. You can find the deck here:

http://www.slideshare.net/DefensiveDepth/security-onion-conference-2016  (Github Repo , Wiki)

The ability to remain active on a target system even after reboots is a key component of a long-term successful compromise. Unfortunately, there are a number of ways for a threat actor to persist in Windows across reboots, and it can be very difficult to comprehensively identify these areas without specialized software. This is where Sysinternals’ Autoruns (AR) come into play. Autoruns is a Sysinternals’ tool that has been widely used in the industry to help bring to light the many different areas in Windows used for persistence.

The purpose of this integration is succinctly thus:

To further enhance the host-level capabilities of Security Onion by integrating Sysinternals Autoruns’ logs into the Security Onion ecosystem, and making this data available for OSSEC rulesets as well as ELSA queries.

Tagged

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s