Automatically generated based on tag:

ETW - Active Directory (Domain Controllers) ntds.dit dumping Page Secrets stored in the Active Directory database (ntds.dit) can be retrieved a number of ways:

- By leveraging the DRSUAPI replication functions, normally used by Domain Controllers to replicate objects (replicated) properties. This attack can be conducted over the network (with out executing code on a Domain Controller) and is known as "DCSync".

- By executing code / commands on a Domain Controller and exfiltrating the ntds.dit database directly. While the ntds.dit database can be accessed and copied using various tools and techniques, the "ntdsutil" built-in administration utility is often leverage by threat actors to do so.
Channel: Security.
Event: 4662 (Property "1131f6aa-9c07-11d1-f79f-00c04fc2dcd" or "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2").

NTDS export using ntdsutil:
Channel: ESENT (Application.evtx).
Events: 206, 325, 326, 327
Hiberfil.sys Page The hiberfil.sys file is linked to the hibernation, hybrid sleep, and Fast Boot (Windows 8) / Fast Startup (Windows 10) features. Those features are mostly in use on Windows laptops / desktops and are generally not available by default on Windows virtual machines.

As the hiberfil.sys file is shared by three features, the file can be in various states with its content being either a partial or a full memory snapshot. The partial memory snapshot, linked to the Fast Boot / Fast Startup feature, contains the Windows kernel and session 0 processes memory, notably including the MFT and registry hives.

The hiberfil.sys file is zeroed out after a system boot starting from Windows 8 / 8.1 and must thus be retrieved from a powered off system.

The structure of the hiberfil.sys file has evolved starting with Windows 8. Both the old and new formats can be analyzed using volatility, by first converting the hibernation file to a raw file using volatilty3 windows.hibernation.Dump plugin.
RDP Bitmap Cache Page The RDP Bitmap Cache contains partial image captures, in the bitmap format, of the remote host screen from Remote Desktop sessions. This feature is implemented to reduce the amount of data sent by the server.

Information of interest: small bitmap images, with a width of 64 pixels and a height of up to 64 pixels, that represent pieces of the content displayed in past Remote Desktop sessions of the user.

Thousands of tiles may be available for a given user RDP Bitmap Cache folder.
"bcache*.bmc" and "cache????.bin" files under the "Terminal Server Client\Cache" directory.

Windows XP / Windows Server 2003:
<SYSTEMDRIVE>:\Documents and Settings\<USERNAME>\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache\*

Windows 7 and later:
<SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Local\Microsoft\Terminal Server Client\Cache\*
Thumbs.db and Thumbcache Page The Thumbs.db and Thumbcache files contain cached thumbnail previews for files (pictures, some document and media file types) in folders that were interactively accessed with the Windows Explorer. Some document types, such as PDF files, will have their first page as their thumbnail preview.

The cached thumbnail previews persist even after deletion of the associated files.

The Thumbs.db files are stored in their associated folders, with one individual Thumbs.db file per folder. Since Windows Vista, Thumbs.db files are only generated for access through UNC paths (in the remote / share directory).

Starting with Windows Vista, the Thumbcache files centralize thumbnails in a central location. Each Thumbcache file, labeled "thumbcache_<RESOLUTION>.db", contains thumbnails from all locations. The location of the file linked to a thumbnail is not stored in the Thumbcache file. However, an unique identifier may be used to retrieve the location of the associated file (mostly for non deleted files).
Individual hidden files in their associated folders.

Starting from Windows Vista, Thumbcache:
<SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\Explorer\thumbcache_<RESOLUTION>.db files.
Windows 10 Timeline / ActivitiesCache.db Page Introduced in Windows 10 version 1803, the Windows Activity history tracks a number of operations on the system: programs used, local files opened, SharePoint documents consulted, and websites browsed (using Internet Explorer / Microsoft Edge Legacy).

The ActivitiesCache.db database only stores data for the last 30 days by default.

Information of interest, that depends on the activity type: start and end times of the activity (in UTC), executable full path for program execution, file name / SharePoint link for files accessed using certain programs, created and last modified timestamp of the associated file, etc.

The history of the clipboard data may also be stored for a short amount of time (approximately 12 hours) in non default configuration.
<SYSTEMROOT>\Users\<USERNAME>\AppData\Local\ConnectedDevicesPlatform\[L.<USERNAME> | *]\ActivitiesCache.db
Windows Push Notifications (wpndatabase.db) Page Introduced in Windows 10, the Windows Push Notification service allows applications to deliver / push notifications, notably in the form of "Toast" notifications (pop-up box that can appear at the bottom right of the screen).

Each notification is associated with a dedicated entry in the Notification table of the wpndatabase.db database, with a system-wide database instance (for global notifications) and per-user database instances (for per-user notifications).

Information of interest: the arrival and expiry time of the notification, as well as a "payload" associated with the notification. For Toast notifications, the payload contains the content of the notification (such as message content for Instant Messaging applications).

The notifications are short-lived and deleted from the database after their expiry time or following a user acknowledgement, thus providing very limited historical data.
Per user database and Write-Ahead Logging (WAL) files:

System-wide database and Write-Ahead Logging (WAL) files:

View on GitHub