Windows and Linux Threat Hunting

• Windows ASEPs
  • https://cyberforensicator.com/2019/04/25/characteristics-and-detectability-of-windows-auto-start-extensibility-points-in-memory-forensics/
  • https://www.sans.org/blog/offline-autoruns-revisited-auditing-malware-persistence/
  • https://www.sans.org/blog/offline-autoruns-revisited-auditing-malware-persistence/
• Windows 11 Artifacts
  • Prefetch
  • Link Files
  • Jumplists
  • Recycle Bin
  • Amcache
  • AppCompatCache
  • Registry
  • Event Logs
  • https://github.com/EricZimmerman?tab=repositories
• Persistence
  • https://pentestlab.blog/methodologies/red-teaming/persistence/

AuditD

shadow files

• btrfs
• ecryptfs
• ext2
• ext3
• ext4
• fuse
• fuseblk
• jfs
• nfs
• overlay
• ramfs
• reiserfs
• tmpfs
• udf
• vfat
• xfs

Research

• Threat Hunting Using Sysmon
  • https://ravinacademy.com/course/threat-hunting-using-sysmon/