Toggle navigation
art [i | e] facts . help
Nav
GitHub
Feedback
Windows
All
NTFS
$Bitmap
$I30
$LogFile
$MFT
$MFTMir
$Secure
$UsnJrnl
MACB timestamps
ETW
Overview
Tools
Events integrity
System uptime
Authentication
Destination host
Source host
Domain Controllers
Remote Desktop
Destination host
Source host
Remote Desktop Gateway
PowerShell remoting
Destination host
Source host
Users and security groups
Process creation
PowerShell activity
Network shares
Devices and USB activity
Windows Defender
Windows Firewall
Windows Services
Windows Scheduled Tasks
Registry ASEP
WMI
AD NTDS dumping
Sigma rules
Registry
Overview
Timestamp
Tools
System information
ComputerName
CurrentVersion
Security - Policy
ProfileList
SAM - Local users
TimeZoneInformation
Select
Network interfaces (Interfaces)
Network interfaces (NetworkList)
LanmanServer\Shares
FirewallPolicy
Installed applications (App Paths)
Installed applications (Uninstall)
Devices and USB activity
Windows devices terminology
Enum\USB
Enum\USBSTOR
Enum\SWD\WPDBUSENUM
MountedDevices
DeviceClasses
Windows Portable Devices
VolumeInfoCache
EMDMgmt
MountPoints2
Auto-Start Extensibility Points
BAM / DAM
ComDlg32
OpenSaveMRU / OpenSavePidlMRU
LastVisitedMRU / LastVisitedPidlMRU
CIDSizeMRU
FeatureUsage
Map Network Drive MRU
MountPoints2
MUICache
PortProxy
RecentApps
RunMRU
Scheduled tasks (Taskcache)
Services
Shellbags
Terminal Server Client\Servers
TypedURLs
UserAssist
WordWheelQuery
Amcache
Hiberfil.sys
Jumplists
LNK / Shortcut files
.NET CLR UsageLogs
PCA
PowerShell ConsoleHost_history
PowerShell Transcript
Prefetch
RDP
Processes
ETW - Destination host
ETW - Source host
ETW - Remote Desktop Gateway
RDP Bitmap Cache
Registry - Terminal Server Client
mstsc Jumplists
RecentFileCache
Recycle Bin
Setupapi logs
Shimcache
SRUM
Thumbs.db / Thumbcache
UAL / SUM
WebCacheV01
Windows Defender
ETW events
Microsoft Support logs
DetectionHistory files
Quarantine
Windows Push Notifications (wpndatabase.db)
Windows Search Database
Windows Timeline / ActivitiesCache
WMI
Processes
ETW events
WMI Event Subscription
Third-party softwares
RULER Project - Anti-virus
RULER Project - Remote Monitoring and Management
Web browsers
Overview
Internet Explorer
Edge (Legacy)
Edge (Chronium-based)
Google Chrome
Mozilla Firefox
Tools
By tag
Type - NTFS
Type - ETW
Type - Registry
Category - System information
Category - File knowledge
Category - Files and folders access
Category - Program execution
Category - PowerShell activity
Category - Browsing history
Category - Network usage
Category - USB activity
Category - Lateral movement
All
Destination host
Source host
Remote Desktop
All
Destination host
Source host
PowerShell remoting
All
Destination host
Source host
WMI
Category - Local persistence
Category - Defense evasion
Category - Miscellaneous
Category - Active Directory
Windows server roles
Active Directory Domain Services
Domain Controllers authentication
UAL / SUM
AD NTDS dumping
AD replication metadata
Active Directory persistence
Microsoft Exchange
Linux
Work in progress!
All
System information
User and group identifiers
Logging frameworks
Syslog
Linux Audit system
Shell histories
SSH
SSH known_hosts
utmp, wtmp, and btmp
viminfo
wget HSTS history
By tag
Type - Filesystem
Type - Logging framework
Category - System information
Category - File knowledge
Category - Files and folders access
Category - Program execution
Category - Lateral movement
All
Destination host
Source host
SSH
All
Destination host
Source host
Category - Local persistence
pberba - Persistence map
Tag
Category - Defense evasion
Category - Miscellaneous
Linux based appliances
VMware ESXi
Azure / Office365
Required privileges
Office365 security review
Licensing plans
Mailbox auditing configuration
Emails forwarding
Mailbox Email Forwarding
Mailbox Inbox rules
Mailbox Mail Flow / Transport rules
Mailbox delegations
Overview
Mailbox access rights / permissions
Recipient access right / permission
Folder-level permissions
OAuth permissions
Azure / Office365 logs
Overview
Logs search and collection
Office365 workloads logs
Exchange Online workload
Microsoft Flow workload
Azure activity / subscription logs
AWS
Required privileges
Basic security review
AWS logs
Overview
Logs search and collection
CloudTrail
Key fields
Notable API / events
Others
Network PCAP
SMTP email headers
Linux - Defense evasion
Automatically generated based on tag:
linux_defense_evasion
Title
Type
Summary
Location
View on GitHub