Windows
All
- NTFS
  - $Bitmap
  - $I30
  - $LogFile
  - $MFT
  - $MFTMir
  - $Secure
  - $UsnJrnl
  - MACB timestamps
- ETW
  - Overview
  - Tools
  - Events integrity
  - System uptime
  - Authentication
    - Destination host
    - Source host
    - Domain Controllers
  - Remote Desktop
    - Destination host
    - Source host
    - Remote Desktop Gateway
  - PowerShell remoting
    - Destination host
    - Source host
  - Users and security groups
  - Process creation
  - PowerShell activity
  - Network shares
  - Devices and USB activity
  - Windows Defender
  - Windows Firewall
  - Windows Services
  - Windows Scheduled Tasks
  - Registry ASEP
  - WMI
  - AD NTDS dumping
  - Sigma rules
- Registry
  - Overview
  - Timestamp
  - Tools
  - System information
    - ComputerName
    - CurrentVersion
    - Security - Policy
    - ProfileList
    - SAM - Local users
    - TimeZoneInformation
    - Select
    - Network interfaces (Interfaces)
    - Network interfaces (NetworkList)
    - LanmanServer\Shares
    - FirewallPolicy
    - Installed applications (App Paths)
    - Installed applications (Uninstall)
  - Devices and USB activity
    - Windows devices terminology
    - Enum\USB
    - Enum\USBSTOR
    - Enum\SWD\WPDBUSENUM
    - MountedDevices
    - DeviceClasses
    - Windows Portable Devices
    - VolumeInfoCache
    - EMDMgmt
    - MountPoints2
  - Auto-Start Extensibility Points
  - BAM / DAM
  - ComDlg32
    - OpenSaveMRU / OpenSavePidlMRU
    - LastVisitedMRU / LastVisitedPidlMRU
    - CIDSizeMRU
  - FeatureUsage
  - Map Network Drive MRU
  - MountPoints2
  - MUICache
  - PortProxy
  - RecentApps
  - RunMRU
  - Scheduled tasks (Taskcache)
  - Services
  - Shellbags
  - Terminal Server Client\Servers
  - TypedPaths
  - TypedURLs
  - UserAssist
  - WordWheelQuery
- Amcache
- Hiberfil.sys
- Jumplists
- LNK / Shortcut files
- .NET CLR UsageLogs
- PCA
- PowerShell ConsoleHost_history
- PowerShell Transcript
- Prefetch
- RDP
  - Processes
  - ETW - Destination host
  - ETW - Source host
  - ETW - Remote Desktop Gateway
  - RDP Bitmap Cache
  - Registry - Terminal Server Client
  - mstsc Jumplists
- RecentFileCache
- Recycle Bin
- Setupapi logs
- Shimcache
- SRUM
- Thumbs.db / Thumbcache
- UAL / SUM
- WebCacheV01
- Windows Defender
  - ETW events
  - Microsoft Support logs
  - DetectionHistory files
  - Quarantine
- Windows Push Notifications (wpndatabase.db)
- Windows Search Database
- Windows Timeline / ActivitiesCache
- WMI
  - Processes
  - ETW events
  - WMI Event Subscription
- Third-party softwares
  - RULER Project - Anti-virus
  - RULER Project - Remote Monitoring and Management
  - Web browsers
By tag
- Type - NTFS
- Type - ETW
- Type - Registry
- Category - System information
- Category - File knowledge
- Category - Files and folders access
- Category - Program execution
- Category - PowerShell activity
- Category - Browsing history
- Category - Network usage
- Category - USB activity
- Category - Lateral movement
- Category - Local persistence
  - All
  - User-scoped (without requiring admin privileges)
- Category - Defense evasion
- Category - Miscellaneous
- Category - Active Directory
Windows server roles
- Active Directory Domain Services
- Microsoft Exchange
Linux
Work in progress!
All
- System information
  - User and group identifiers
- Logging frameworks
  - Syslog
  - Linux Audit system
- Shell histories
- SSH
  - SSH known_hosts
- utmp, wtmp, and btmp
- viminfo
- wget HSTS history
By tag
- Type - Filesystem
- Type - Logging framework
- Category - System information
- Category - File knowledge
- Category - Files and folders access
- Category - Program execution
- Category - Lateral movement
  - All
  - Destination host
  - Source host
  - SSH
- Category - Local persistence
- Category - Defense evasion
- Category - Miscellaneous
Linux based appliances
- VMware ESXi
Azure / Office365
Required privileges
Office365 security review
- Licensing plans
- Mailbox auditing configuration
- Emails forwarding
- Mailbox delegations
- OAuth permissions
Azure / Office365 logs
- Overview
- Logs search and collection
- Office365 workloads logs
  - Exchange Online workload
  - Microsoft Flow workload
- Azure activity / subscription logs
AWS
Required privileges
Basic security review
AWS logs
- Overview
- Logs search and collection
- CloudTrail
  - Key fields
  - Notable API / events
Others
Network PCAP
SMTP email headers

ETW - Authentication - Source host

Channel: Security.
Events: 4648, 4624 (LogonType 9).

Overview

Channel	Conditions	Events
`Security`	Default configuration. Only logged whenever alternate credentials are used.	Event `4648: A logon was attempted using explicit credentials`. Legacy: Events `552: Logon attempt using explicit credentials`.
`Security`	Default configuration. Only logged for `runas /NetOnly` (and similar) process execution.	Event `4624: An account was successfully logged on`, with `LogonType` `9` and the specified alternate credentials as `Network Account Domain` and `Network Account Name`. Using the `runas` command with the `/NetOnly` switch will generate an `4624` event with a `LogonType 9`, a `Seclogo` `LogonProcess`, and `svchost.exe` as the originating process. With the `/NetOnly` switch, Windows will not try to validate the specified credentials. The new process will run as the currently logged on user for local access, but any network connections to other computers will be made using the user account specified. This is due to the fact that, following a `runas /NetOnly`, Windows will create a new `Logon Session` with the provided credentials but will copy the current `access token` for the new process. Access to local resources will leverage that `access token`, while network connections will be made using the credentials associated with the `Logon Session`. Beyond `runas /NetOnly`, this `LogonType 9`, `Seclogo` `LogonProcess`, and `svchost.exe` originating process combination can be an indicator that a `Pass-The-Hash` attack was conducted. Without the `/NetOnly` switch, `runas` will generate `4624` (`LogonType 2`) and `4648` events in close proximity.

Security Event ID 4648

Windows Security Log Event ID 4648: A logon was attempted using explicit credentials.

Includes information about the target server: Target Server Name (hostname or IP) and Additional Information of the service requested.

The TargetServerName and TargetInfo fields can reference information about the remote server and service (such as TargetInfo set to TERMSRV/<HOSTNAME> for outgoing RDP).

References

Tags:

View on GitHub