Automatically generated based on tag:
| Title | Type | Summary |
|---|---|---|
| Procedure - Active Directory Domain Services NTDS offline mounting | Page | An exported NTDS database file can be mounted using dsamain, to then be queried in LDAP or with PowerShell cmdlets through the "AD Web Services". |
| Procedure - ETW - Tools | Page | Tools for processing ETW and EVTX files, including: wevtutil, Get-WinEvent, LogParser, Winlogbeat, EvtxECmd, Chainsaw, Hayabusa, and Velociraptor. |
| Procedure - Image acquisition and mounting | Page | |
| Procedure - Logs search and collection tools | Page | CloudTrail logs can be collected in specific region or across all regions using third-party tools, such as Invictus-AWS. |
| Procedure - Logs search and collection tools | Page | The Azure logs (Azure AD sign-ins and audit logs, Office 365 Unified and Mailbox Audit Audit Logs, Azure Activity logs, etc.) can be collected using Microsoft PowerShell modules and third-party tools, such as DFIR-O365RC or Microsoft-Extractor-Suite. |
| Procedure - Network PCAP | Page | Wireshark & tshark, Zeek, and ngrep usage. |
| Procedure - Registry - Tools | Page | Tools for processing the Windows Registry, including: RegistryExplorer, RECmd, and RegRipper. |
| Procedure - Required privileges | Page | The "Global Reader" role on the Azure AD tenant is required to access the Azure AD sign-ins and audit logs. The "View-Only Audit Logs" role in Exchange Online is required to access the Office 365 Unified and Mailbox Audit Logs. The "Log Analytics Reader" role on the Azure subscription is required to access the Azure Activity logs. The "Auditing\View audit log" permission is required in the Azure DevOps organization to access the Azure DevOps Activity logs. |
View on GitHub