Embedded Files
Network Analysis
Network Analysis
C:\>ipconfig /all - Current Network Settings (CMD + PS)
Interesting Directories:
C:\Windows\System32\drivers\etc\hosts - DNS file
C:\Windows\System32\drivers\etc\etc\networks - Network config file
View Shared Folders & Resources
C:\>net view
C:\>net view \\<remote_ip>
View All Inbound Sessions: C:\>net session
List Info Related to Mapped Connections: C:\>net use
Display Active Connections, Listening TCP/UDP Ports, Correlate Statistics, & Identify Any Suspicious IPs/Ports:
C:\>netstat
C:\>netstat -anob (List IP/Ports numerically, Process ID, Process File Name)
User Analysis
User Analysis
Command whoami:
whoami /groups - View current user groups, account type, SID, & attributes
whoami /priv - View current user privileges
whoami /fqdn - Display current user's FQDN
whoami /logonid - View the current user's logon ID.
Credential Access Logs
Credential Access Logs
C:\Windows\System32\config\SAM - Local password hashes (Credential Dumping Attacks)
C:\Windows\repair\SAM - Backup of User Credentials
C:\Windows\System32\config\SECURITY - Security policies and access control settings
System & Event Logs
System & Event Logs
C:\Windows\System32\winevt - Windows event logs (useful for SIEM correlation)
C:\Windows\System32\config\SYSTEM - Tracks system-wide changes and configurations
C:\Windows\System32\config\SOFTWARE - Registry Hive (details of installed software and changes)
Malware & Threat Hunting Indicators
Malware & Threat Hunting Indicators
C:\Windows\Prefetch - Tracks recently executed programs (useful for forensic timelines)
C:\Windows\AppCompat\Programs\Amcache.hve - Logs details of executed apps (useful for detecting lateral movement)
C:\Windows\*\NTUSER.dat - User-specific registry settings, often abused for persistence.
Persistence & Startup Investigations
Persistence & Startup Investigations
C:\Documents & Settings\<user_name>\Start Menu\Programs\Startup - (Windows XP/7) Windows user startup programs (user-specific persistence mechanisms).
C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup - (Windows 10/11)User-specific persistence mechanisms
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup - Global startup folder for all users (often misused by malware).
Windows Log Events
Windows Log Events
Logon Types
Logon Types
Interactive (Logon Type 2) - happens when a user logs on to the computer.
Network (Logon Type 3) - occurs when a user or computer logs on to the computer from the network.
Batch (Logon Type 4) - used by batch servers. Scheduled tasks are executed on behalf of a user without human intervention.
Service (Logon Type 5) - used for services and service accounts that log in to run a service.
Unlock (Logon Type 7) - occurs when a user unlocks their machine.
Network Cleartext (Logon Type 8) - occurs when a user or computer logs on to the computer from the network, and the password is sent in clear text.
NewCredentials (Logon Type 9) - occurs when a user uses the 'RunAs' command to run an application.
RemoteInteractive (Logon Type 10) - occurs when a user remotely accesses the computer through RDP applications such as Remote Desktop, Remote Assistance or Terminal Services.
CachedInteractive (Logon Type 11) - recorded when a user logons to the computer without having to contact the domain controller, since the network credentials are locally stored on the computer.
Additional Resources:
Security Event IDs
Security Event IDs
System Event IDs
System Event IDs
Syslog Events
Syslog Events
Page updated
Google Sites
Report abuse