Windows
All
- NTFS
  - $Bitmap
  - $I30
  - $LogFile
  - $MFT
  - $MFTMir
  - $Secure
  - $UsnJrnl
  - MACB timestamps
- ETW
  - Overview
  - Tools
  - Events integrity
  - System uptime
  - Authentication
    - Destination host
    - Source host
    - Domain Controllers
  - Remote Desktop
    - Destination host
    - Source host
    - Remote Desktop Gateway
  - PowerShell remoting
    - Destination host
    - Source host
  - Users and security groups
  - Process creation
  - PowerShell activity
  - Network shares
  - Devices and USB activity
  - Windows Defender
  - Windows Firewall
  - Windows Services
  - Windows Scheduled Tasks
  - Registry ASEP
  - WMI
  - AD NTDS dumping
  - Sigma rules
- Registry
  - Overview
  - Timestamp
  - Tools
  - System information
    - ComputerName
    - CurrentVersion
    - Security - Policy
    - ProfileList
    - SAM - Local users
    - TimeZoneInformation
    - Select
    - Network interfaces (Interfaces)
    - Network interfaces (NetworkList)
    - LanmanServer\Shares
    - FirewallPolicy
    - Installed applications (App Paths)
    - Installed applications (Uninstall)
  - Devices and USB activity
    - Windows devices terminology
    - Enum\USB
    - Enum\USBSTOR
    - Enum\SWD\WPDBUSENUM
    - MountedDevices
    - DeviceClasses
    - Windows Portable Devices
    - VolumeInfoCache
    - EMDMgmt
    - MountPoints2
  - Auto-Start Extensibility Points
  - BAM / DAM
  - ComDlg32
    - OpenSaveMRU / OpenSavePidlMRU
    - LastVisitedMRU / LastVisitedPidlMRU
    - CIDSizeMRU
  - FeatureUsage
  - Map Network Drive MRU
  - MountPoints2
  - MUICache
  - PortProxy
  - RecentApps
  - RunMRU
  - Scheduled tasks (Taskcache)
  - Services
  - Shellbags
  - Terminal Server Client\Servers
  - TypedURLs
  - UserAssist
  - WordWheelQuery
- Amcache
- Hiberfil.sys
- Jumplists
- LNK / Shortcut files
- .NET CLR UsageLogs
- PCA
- PowerShell ConsoleHost_history
- PowerShell Transcript
- Prefetch
- RDP
  - Processes
  - ETW - Destination host
  - ETW - Source host
  - ETW - Remote Desktop Gateway
  - RDP Bitmap Cache
  - Registry - Terminal Server Client
  - mstsc Jumplists
- RecentFileCache
- Recycle Bin
- Setupapi logs
- Shimcache
- SRUM
- Thumbs.db / Thumbcache
- UAL / SUM
- WebCacheV01
- Windows Defender
  - ETW events
  - Microsoft Support logs
  - DetectionHistory files
  - Quarantine
- Windows Push Notifications (wpndatabase.db)
- Windows Search Database
- Windows Timeline / ActivitiesCache
- WMI
  - Processes
  - ETW events
  - WMI Event Subscription
- Third-party softwares
  - RULER Project - Anti-virus
  - RULER Project - Remote Monitoring and Management
  - Web browsers
By tag
- Type - NTFS
- Type - ETW
- Type - Registry
- Category - System information
- Category - File knowledge
- Category - Files and folders access
- Category - Program execution
- Category - PowerShell activity
- Category - Browsing history
- Category - Network usage
- Category - USB activity
- Category - Lateral movement
- Category - Local persistence
- Category - Defense evasion
- Category - Miscellaneous
- Category - Active Directory
Windows server roles
- Active Directory Domain Services
- Microsoft Exchange
Linux
Work in progress!
All
- System information
  - User and group identifiers
- Logging frameworks
  - Syslog
  - Linux Audit system
- Shell histories
- SSH
  - SSH known_hosts
- utmp, wtmp, and btmp
- viminfo
- wget HSTS history
By tag
- Type - Filesystem
- Type - Logging framework
- Category - System information
- Category - File knowledge
- Category - Files and folders access
- Category - Program execution
- Category - Lateral movement
  - All
  - Destination host
  - Source host
  - SSH
- Category - Local persistence
- Category - Defense evasion
- Category - Miscellaneous
Linux based appliances
- VMware ESXi
Azure / Office365
Required privileges
Office365 security review
- Licensing plans
- Mailbox auditing configuration
- Emails forwarding
- Mailbox delegations
- OAuth permissions
Azure / Office365 logs
- Overview
- Logs search and collection
- Office365 workloads logs
  - Exchange Online workload
  - Microsoft Flow workload
- Azure activity / subscription logs
AWS
Required privileges
Basic security review
AWS logs
- Overview
- Logs search and collection
- CloudTrail
  - Key fields
  - Notable API / events
Others
Network PCAP
SMTP email headers

ETW - Network shares activity and access

Channel: Security.
Events: 5140, 5142, 5143, 5144, 5145.

Overview

For access and operations on network shares configured on the local system, and access to files and folders hosted on network shares.

By default no events are generated, as network share auditing requires advanced auditing policies to be enabled:

Audit File Share, for share access and lifecycle.
Audit Detailed File Share, for access to hosted files and folders access.

Enabling network share auditing may however generate an overwhelming amount of events.

Channel	Conditions	Events
`Security`	Requires `Audit File Share` to be enabled.	Events related to network shares: creation, deletion, modification, and access attempts of network shares. Do not track access to folders and files hosted on network shares. As there are no `System Access Control Lists` (`SACLs`) for shares, access to all shares on the system are audited. Event `5140: A network share object was accessed`. Generated every time a network share is accessed, but only once per session (upon first access attempt). `Object Type` is always `File` for this event. Event `5142: A network share object was added`. Event `5143: A network share object was modified`. Event `5144: A network share object was deleted`. All events include information about the account that performed the operation: username, domain, and `SID` as well as the `Logon ID` associated with the logon. Events `5140` also include network information: source IP address and port.
`Security`	Requires `Audit Detailed File Share` to be enabled.	Event related to access to folders and files hosted on network shares. The event is generated upon every access to a network shared file or folder (successful or not). Failure events are generated only when access is denied at the file share level, not a the file / folder level. The event may thus not indicate that the access to the shared file or folder was successful. Event `5145: A network share object was checked to see whether client can be granted desired access`. Includes information about the account that performed the operation: username, domain, and `SID`, the `Logon ID` associated with the logon, and the source IP address and port.

Tags:

View on GitHub