I recently presented “Uncovering Persistence With Autoruns & Security Onion” at the 2016 Security Onion Conference. You can find the deck here:
http://www.slideshare.net/DefensiveDepth/security-onion-conference-2016 (Github Repo , Wiki)
The ability to remain active on a target system even after reboots is a key component of a long-term successful compromise. Unfortunately, there are a number of ways for a threat actor to persist in Windows across reboots, and it can be very difficult to comprehensively identify these areas without specialized software. This is where Sysinternals’ Autoruns (AR) come into play. Autoruns is a Sysinternals’ tool that has been widely used in the industry to help bring to light the many different areas in Windows used for persistence.
The purpose of this integration is succinctly thus:
To further enhance the host-level capabilities of Security Onion by integrating Sysinternals Autoruns’ logs into the Security Onion ecosystem, and making this data available for OSSEC rulesets as well as ELSA queries.