Windows and Linux Threat Hunting

Windows and Linux Threat Hunting

  • Windows ASEPs
    • https://cyberforensicator.com/2019/04/25/characteristics-and-detectability-of-windows-auto-start-extensibility-points-in-memory-forensics/
    • https://www.sans.org/blog/offline-autoruns-revisited-auditing-malware-persistence/
    • https://www.sans.org/blog/offline-autoruns-revisited-auditing-malware-persistence/
  • Windows 11 Artifacts
    • Prefetch
    • Link Files
    • Jumplists
    • Recycle Bin
    • Amcache
    • AppCompatCache
    • Registry
    • Event Logs
    • https://github.com/EricZimmerman?tab=repositories
  • Persistence

AuditD

shadow files

  • btrfs
  • ecryptfs
  • ext2
  • ext3
  • ext4
  • fuse
  • fuseblk
  • jfs
  • nfs
  • overlay
  • ramfs
  • reiserfs
  • tmpfs
  • udf
  • vfat
  • xfs