Thursday, 7 February 2019

Threat Hunting #18 - Run/RunOnce - Shell-Core EID 9707/9708

Detecting process-cmdline of programs running from Run/RunOnce Auto startup locations using events Microsoft-Windows-Shell-Core/Operational EID 9707/9708 (turned on by default ... good for forensics ... execution history and count)

Events File Path: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

Below a summary of programs running or that were run from Run/RunOnce for one machine:


Those events are extremely valuable to find traces of previous infections using Run or RunOnce as a startup mechanism.

No comments:

Post a Comment