Skip to content

CyLR 1.5.0
Compare
Choose a tag to compare
@orlikoski orlikoski released this 23 Aug 16:30
1.5.0
018aff9
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

What's New

  • Windows Default Collection Improvements
    • SANS FOR500 recommended Windows artifacts
    • Now collects standard list of artifacts from User folders

New Default Windows Artifacts

  • System Level Artifacts
    • %SYSTEMROOT%\SchedLgU.Txt
    • %SYSTEMROOT%\Tasks
    • %SYSTEMROOT%\Prefetch
    • %SYSTEMROOT%\inf\setupapi.dev.log
    • %SYSTEMROOT%\Appcompat\Programs
    • %SYSTEMROOT%\System32\drivers\etc\hosts
    • %SYSTEMROOT%\System32\sru
    • %SYSTEMROOT%\System32\winevt\logs
    • %SYSTEMROOT%\System32\Tasks
    • %SYSTEMROOT%\System32\LogFiles\W3SVC1
    • %SYSTEMROOT%\System32\config\SAM
    • %SYSTEMROOT%\System32\config\SYSTEM
    • %SYSTEMROOT%\System32\config\SOFTWARE
    • %SYSTEMROOT%\System32\config\SECURITY
    • %SYSTEMROOT%\System32\config\SAM.LOG1
    • %SYSTEMROOT%\System32\config\SYSTEM.LOG1
    • %SYSTEMROOT%\System32\config\SOFTWARE.LOG1
    • %SYSTEMROOT%\System32\config\SECURITY.LOG1
    • %SYSTEMROOT%\System32\config\SAM.LOG2
    • %SYSTEMROOT%\System32\config\SYSTEM.LOG2
    • %SYSTEMROOT%\System32\config\SOFTWARE.LOG2
    • %SYSTEMROOT%\System32\config\SECURITY.LOG2
    • %PROGRAMDATA%\Microsoft\Search\Data\Applications\Windows
    • %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    • %SystemDrive%$Recycle.Bin
    • %SystemDrive%$LogFile
    • %SystemDrive%$MFT
  • Artifacts For All Users
    • {user.ProfilePath}\NTUSER.DAT
    • {user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat
    • {user.ProfilePath}\AppData\Roaming\Microsoft\Windows\Recent
    • {user.ProfilePath}\NTUSER.DAT
    • {user.ProfilePath}\NTUSER.DAT.LOG1
    • {user.ProfilePath}\NTUSER.DAT.LOG2
    • {user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat
    • {user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1
    • {user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2
    • {user.ProfilePath}\AppData\Local\Microsoft\Windows\Explorer
    • {user.ProfilePath}\AppData\Local\Google\Chrome\User Data\Default\History\
    • {user.ProfilePath}\AppData\Local\Microsoft\Windows\WebCache\
    • {user.ProfilePath}\AppData\Local\ConnectedDevicesPlatform
    • {user.ProfilePath}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\
    • {user.ProfilePath}\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline
    • {user.ProfilePath}\AppData\Roaming\Mozilla\Firefox\Profiles\
Assets 3