Remote vs local commands? Windows CMD PowerShell Windows PowerShell Event logs Operational Monitoring. %SystemRoot%\System32\winevt\Logs\Microsoft-Windows-Powershell%Operational.evtx, ID 4103, 4104 (if Windows considers suspicious).
Windows There are two main places within the registry that contains that information: SAM hive for local and Microsoft accounts and Software\Microsoft\Windows NT\CurrentVersion\ProfileList for Domain Accounts.
*In order to detect and response to the incidents in a short time, there are playbooks which are basically guidelines. Some IR frameworks have these included in order to ease the process. Some techniques can give you both persistence and escalation, but sometimes persistence only. I will mark those that do both with ðĻ *
In order to detect and response to the incidents in a short time, there are playbooks which are basically guidelines. Some IR frameworks have these included in order to ease the process.
Windows Installed programs and applications Key ð: Microsoft\Windows\CurrentVersion\Uninstall. There can be some data for programs that do not exist on the system anymore.
Android /data/data/com.google.android.apps.maps/databases/gmm_storage.db # User Photos /data/media/0/DCIM/Camera /data/data/com.androidproviders.media/databases/external.db /data/media/0/bluetooth /data/media/0/Download /data/media/0/Pictures/Screenshots /data/media/0/Pictures/Twitter iOS /private/var/mobile/Containers/Data/Application/[APPGUID]/Library/Maps/GeoHistory.mapsdata /private/var/mobile/Containers/Data/Application/[APPGUID]/Library/Maps/GeoBookmarks.plist /private/var/mobile/Library/Caches/com.apple.routined/Cache.sqlite /private/var/mobile/Library/Caches/com.
Windows Are we looking for USB storage media activity or all USB devices? Like, cameras ðļ?
Windows Volume Shadow Copies and Restore \System Volume Information\ Shadow Copies are exactly those pieces of data that get saved on disk when system restore option is enabled.