This Splunk Add-On runs autoruns command line edition and parses the data ready for use in Splunk

Autoruns, has the most comprehensive knowledge of auto-starting locations of any startup monitor, it shows you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer and media players. These programs and drivers include ones in your startup folder, Run, RunOnce, and other Registry keys. Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond other autostart utilities.

Autoruns URL Here

This app will run the following command autorunsc.exe -c -h -accepteula Then output the results to screen and index into Splunk. Providing you with the following fields

• category
• company
• description
• enabled
• entry
• entry_location
• entry_time
• image_path
• imphash
• launch_string
• md5
• pesha1
• pesha256
• profile
• sha1
• sha256
• version

autorunsc.exe -c -h -m -accepteula -a *

• -m Hide Microsoft entries (signed entries if used with -v).
• -a Autostart entry selection: * All.
• -c Print output as CSV.
• -accepteula Accept the end user license agreement
• -h Show file hashes.

Install the app on heavy forwarders, indexers and search heads for field extractions.

On the universal forwarder, create a local folder and add a file called inputs.conf. In that file add the following lines.

[script://.\bin\win_autoruns.cmd]
disabled = 0
interval = 3600 # Modify this interval depending on how frequent you want the script to run

Since this app runs on a schedule you can have a small licensing footprint by increasing the interval that this runs.

Thanks to MS and Mark Russinovich for making a kick arse tool for defenders :)