Investigate: Hosts View - Autoruns Tab

Document created by RSA Information Design and Development on Mar 2, 2018Last modified by RSA Information Design and Development on May 8, 2018
Version 6Show Document
  • View in full screen mode
 

Note: The information in this topic applies to RSA NetWitness® Suite Version 11.1 and later.

The Autoruns panel provides a list of autoruns, services, tasks, and cron jobs running on the host. To access this tab, select a host from the Hosts view and click the Autoruns tab.

Workflow

high-level Investigate workflow with Investigate Endpoints and associated actions highlighted

What do you want to do?

                                                     
User RoleI want to ...11.1 Documentation
Threat Hunter

browse event metadata

Begin an Investigation in the Navigate or Events View

Threat Hunter

browse raw events

Begin an Investigation in the Navigate or Events View

Threat Hunter

analyze raw events and metadata

Begin an Investigation in the Event Analysis View

Threat Hunterinvestigate endpoints (Version 11.1)*Investigate Hosts

Threat Hunter

find suspicious endpoint files (Version 11.1)

Investigate Files

Threat Hunterscan files and events for malwareConducting Malware Analysis

Incident Responder

triage an incident in Investigate

NetWitness Respond User Guide

Threat Hunterview the autoruns, services, tasks, and cron jobs running on the host* Analyze Autoruns

*You can perform this task in the current view.

Related Topics

Quick Look

Below is an example of the Autoruns tab:

Autoruns tab

                       
CategoryDescription
Autoruns

Files that are executed at start-up. It displays the following columns:

  • File name - cmd.exe
  • Registry path - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot @AlternateShell
Services

Files that are running as a service for the selected host. It displays the following columns:

  • Service name - acsock
  • Running status - stopped
  • File creation time - 07/11/2017 11:47:00 am
  • Signature - Microsoft, signed, valid
  • File path - C:\Windows\System32\drivers
Tasks/Cron jobs

Files that are configured to run as scheduled tasks along with the trigger. It displays the following columns:

  • Name - shell32.dll
  • Hash - cafa6e7b6a9220e7c805ea476a89a78800f48bb48c66fe5f935057940df3909c
  • Last run time - 01/19/2018 05:34:50 pm
  • Next run time - 12/30/1899 05:30:00 am
  • Trigger - No Trigger

Autoruns Properties Panel

This panel displays all properties of the selected file. It is grouped as follows:

                                   
CategoryDescription
General
  • General information about the file, such as file name, entropy, size, and format.
  • SignatureProvides signatory information.
    HashHash type of the file (MD5, SHA256, and SHA1).
    TimeTime when the file was created, modified, or accessed.
    LocationLocation of the file.

    Image

    Loaded image.

    Previous Topic:Hosts View
    You are here
    Table of Contents > Investigate Reference Materials > Hosts View - Autoruns Tab

    Attachments

      Outcomes