This is what i use for my threat hunting. <# Collect AutoRuns Records This script is used to gather autoruns data for threat hunting. > .\autorunsc64.exe -accepteula -a * -s -h -m -ct -nobanner > autoruns.csv $directory = "C:\" $x1 = Get-ChildItem -File autoruns.csv -ErrorAction SilentlyContinue | select Name, FullName $csvExportPath = Join-Path $directory $x1.Name $createCSV = "$csvExportPath"+".csv" $renamedReferenceCSV = "$directory"+"ReferenceAutoRuns.csv" $renamedDifferenceCSV = "$directory"+"DifferenceAutoRuns.csv" $deltaFile = "$directory"+"DeltaAutoRuns.csv" if (!(Test-Path $renamedReferenceCSV)){Rename-Item $x1.FullName -NewName "ReferenceAutoRuns.csv" Copy-Item $renamedReferenceCSV -Destination $deltaFile }else{ if (!(Test-Path $renamedDifferenceCSV) -and (Test-Path $renamedReferenceCSV)){Rename-Item $x1.FullName -NewName "DifferenceAutoRuns.csv" if ((Test-Path $renamedReferenceCSV) -and (Test-Path $renamedDifferenceCSV)) { $importReferenceCSV = Import-Csv -Delimiter " t" $renamedReferenceCSV -ErrorAction SilentlyContinue $importDifferenceCSV = Import-Csv -Delimiter " t" $renamedDifferenceCSV -ErrorAction SilentlyContinue Compare-Object -ReferenceObject $importReferenceCSV -DifferenceObject $importDifferenceCSV | Select-Object -ExpandProperty InputObject| Export-Csv $deltaFile -NoTypeInformation Start-Sleep 10 #Clean Up Old Files Remove-Item $renamedDifferenceCSV } } } ... View more