DFIR-Notes
Windows Forensics
Windows Forensics
  • windows Memory Forensics
  • Windows Registry Forensics
  • Windows Registry Forensics with RegRipper
  • Windows Powershell Forensics
  • Incident Response Eventhoods
  • Incident Response splunk filters
  • LNK Files (Shortcut Files) Forensics
  • Jump List Forensics
  • Prefetch Files Forensics
  • Living off the Land Binaries (LOLBins)
  • COM (Component Object Model)
  • Key Email Headers for SOC Analysts and DFIR
  • Distributed Component Object Model (DCOM)
  • legitimate Windows processes
  • UserAssist Keys
  • Application Compatibility Cache (Shim Cache)
  • CIDSizeMRU
  • Start Menu Run MRUs
  • MUI Cache
  • BAM (Background Activity Moderator)
  • SRUM (System Resource Usage Monitor)
  • Master File Table (MFT), NTFS, $LogFile, and $UsnJrnl: Forensics
  • 🔹 Windows System Processes
Powered by GitBook
On this page

Incident Response Eventhoods

PreviousWindows Powershell ForensicsNextIncident Response splunk filters

Last updated 6 months ago

The map organizes event codes into distinct categories, such as

  • Network Activity

  • initial access

  • Privilege Escalation Detection

  • Process Creation

  • Persistence Detection - schedule task

  • Persistence Registry Detection

  • PowerShell Detection

  • Buffer Overflow Detection

  • lateral movement Detection

  • DCSync Activity Detection

  • Golden Ticket Detection

  • Pass-the-Hash (PtH) Attack Detection

  • Pass-the-Ticket (PtT) Attack Detection

Here is the HTML map with high quality

Here is a photo of the content above

Investigator-Hand/Eventcods.drawio.html at main · 0Xdarkday/Investigator-HandGitHub
Logo