Thursday, 7 February 2019

Threat Hunting #18 - Run/RunOnce - Shell-Core EID 9707/9708

Detecting process-cmdline of programs running from Run/RunOnce Auto startup locations using events Microsoft-Windows-Shell-Core/Operational EID 9707/9708 (turned on by default ... good for forensics ... execution history and count)

Events File Path: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

Below a summary of programs running or that were run from Run/RunOnce for one machine:

Those events are extremely valuable to find traces of previous infections using Run or RunOnce as a startup mechanism.

1 comment:

  1. In addition to wins yielded from the principle base game, separate Free Spins rounds invariably hold the key thing} to a game’s more premium rewards. New German rules require account verification to proceed taking part in} at Wildz. Receive advertising communications with promotional and bonus provides. However, should you assume that you’ve obtained what it takes, go for it. It doesn’t harm to try, particularly if you’re going for a few small bets. Be certain to at all times comply with our advice, and maybe at some point, the world will see the rise of a new new}, astonishingly wealthy bettor.