Logo
RSS Feed

πŸ‘ˆπŸΌ Back to
Incident Investigation πŸ”Ž πŸ₯·

Artefacts CheatSheet

πŸ€” How do I check for remote connections?

How to check if the system was accessed remotely? What sort of remote connections is the attacker likely to be using?

πŸ€” How Do I Spot Malware?

The number or applications installed or present on a device can sometimes be frightening. Not all of them are installed with the user’s consent. Some of them might be malicious. How does one spot these little pesky rodents?

πŸ€” How Do I Audit Management Tools?

Admins on payroll and those “magnanimous volunteers” often tread the very same path, albeit guided by different compasses of motivation. Once our cunning adversary ascends to the lofty heights of respect usually reserved for the admin on payroll, the misuse of these management tools becomes bound only by the limits of their mischievous imagination.

πŸ€” How To Investigation Terminal Activity?

Think of the terminal as a magic wand πŸͺ„ of the attacker. The beauty for them is that they can do all sorts of nasty things remotely, but their beauty also lies with their forensics perks: one can review the history of this activity.

πŸ€” How Do I Check For Logs Clearing?

Windows ❗️These techniques require admin or higher privileges. ❗️Common with ransomware When the Security trail is deleted, 1102 is usually created afterwards.

πŸ€” How Do I Check For Malicious Autostarts?

Windows Tasks Event logs Two trails are of use are Microsoft-Windows-TaskScheduler/Operational πŸ‡ (disabled by default on the newer systems) and Security πŸ›‘οΈ.

πŸ€” How Do I Check For Reconnaisance Activity?

Windows Event logs Monitoring for these events will cause a lot of noise and false positives.

πŸ€” How do I check program execution?

Windows You can use Prefetch which is the most reliable source. However, if the program is NOT there, it doesn’t mean it wasn’t executed.

πŸ€” How Do I Check System Information?

Windows Registry, of course. AmCache, Registry πŸ—„οΈ You can see firmware, hardware and OS info there.

πŸ€” How Do I Find Malicious or Compromised Accounts?

Windows Event logs It starts with the event 4720 (account created) and multiple 4732 events (member added to some security-enabled group).

πŸ€” How Do I investigate logon events?

Windows Event Logs There is a fine line between logon and account logon events, and that line is not just one word.

πŸ€” How Do I Spot Bruteforcing Activity?

Windows Event logs There will be no shortage of 4625 events (unsuccessful login) showing up in the logs.

πŸ€” How Do I Spot Injections?

Windows Sysmon logs, 25. References Expand… Something here