Added enumeration of other persistence mechanisms to AutorunsToWinEventLog.ps1

palantir / windows-event-forwarding

A repository for using windows event forwarding for incident detection and response

Other

1.22k stars 268 forks source link

Added enumeration of other persistence mechanisms to AutorunsToWinEventLog.ps1 #23

Closed vector-sec closed 5 years ago

vector-sec commented 6 years ago

I added enumeration of BITS jobs, Desktop shortcuts, and Browser extensions to the script, using event ID 2, 3, and 4 respectively for each new class of data.

These modifications were made because SysInternals Autoruns does not presently support enumeration of these persistence mechanisms.

ATT&CK References https://attack.mitre.org/wiki/Technique/T1197 https://attack.mitre.org/wiki/Technique/T1176 https://attack.mitre.org/wiki/Technique/T1023

palantirtech commented 6 years ago

Thanks for your interest in palantir/windows-event-forwarding, @vector-sec! Before we can accept your pull request, you need to sign our contributor license agreement - just visit https://cla.palantir.com/ and follow the instructions. Once you sign, I'll automatically update this pull request.

clong commented 6 years ago

Hey @vector-sec, thanks for the contribution! I've got a bit on my plate at the moment, but should be finished with a review of this in a week or so.

clong commented 5 years ago

Closing due to inactivity.