Automatically generated based on tag:
| Title | Type | Summary | Location |
|---|---|---|---|
| ETW - Windows Scheduled Tasks | Page | For local Windows Scheduled Tasks creation and operations. Main events: Channel: Microsoft-Windows-TaskScheduler/Operational (channel not enabled by default). Event ID 106: "User "<ACCOUNT>" registered Task Scheduler task "\<TASK_NAME>"". Event ID 140: "User "<ACCOUNT>" updated Task Scheduler task "<TASK_NAME>"". Event ID 200: "Task Scheduler launched action "<EXECUTABLE>" in instance "<INSTANCE_GUID>" of task "<TASK_NAME>"". Channel: Security (events not enabled by default). Event ID 4698: "A scheduled task was created". Event ID 4702: "A scheduled task was updated". |
Channel: Microsoft-Windows-TaskScheduler/Operational (channel not enabled by default). Events: 100, 102, 103, 106, 107, 108, 110, 118, 119, 129, 140, 141, 200, 201. Channel: Security (events not enabled by default). Events: 4698, 4699, 4700, 4701, 4702. |
| Registry - Auto-Start Extensibility Points | Page | A number of registry keys, known as Auto-Start Extensibility Points (ASEP) registry keys, are run whenever the system is booted or a specific user logs in. The ASEP keys under HKLM are run every time the system is started, while the ASEP keys under HKCU are only executed when the user associated with the keys logs onto the system. While a subset of ASEP registry keys are leveraged by threat actors, hundreds of keys may be used to execute a program at boot or following a user logging. |
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Shell HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Shell HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup HKCU\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Logon HKCU\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Logon ... |
| Shortcut files / LNK | Page | Shortcut files (*.lnk) are Windows Shell Items that reference to an original file, folder, or application. While LNK files can be created manually, Windows also creates LNK files under numerous user activities, such as opening of a non-executable file. Information of interest, per LNK file: - Target file absolute path, size and attributes. - Target file Modified, Access, and Created (MAC) timestamps at the time of the last access. - Sometimes information on the volume that stored the target file (local or network share, serial number, and label). - Additionally, for automatically created LNK, the creation and modification timestamps of the LNK itself will usually indicate when the target file was first and last opened. Shortcut files can also be automatically executed upon an interactive user logon, by being placed under the system-wide Startup folder (under %ALLUSERSPROFILE%) or the user-scoped Startup folders (under each user %APPDATA% folder). |
Automatically created LNK on files access: <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent\*.lnk Automatically created LNK for documents opened using Microsoft Office products: <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Roaming\Microsoft\Office\Recent\*.lnk Other common LNK location: Users Desktop folder: <SYSTEMDRIVE>:\Users\<USERNAME>\Desktop\*.lnk Startup folders: <SYSTEMDRIVE>:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\*.lnk <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk |
View on GitHub