more event logs added, more details about domain user information added
This commit is contained in:
parent
95f24a0a9f
commit
589a532bce
|
@ -38,11 +38,15 @@ Get-WinEvent -FilterHashTable @{LogName='<Category>';ID='<Event IDs>'} | fl
|
|||
* **4723**: Attempt to change an account password. The user attempts to change their password
|
||||
* **4724**: Attempt to reset the account password. The user attempts to reset the password of another account
|
||||
* **4725**: Account disable
|
||||
* **4726**: Account removal
|
||||
* **4726**: Account removed from systemved from system
|
||||
* **4728**: Attempt to add an account to a global security group
|
||||
* **4729**: Attempt to remove an account from a global security group
|
||||
* **4738**: User account properties were changed
|
||||
* **4740**: User account was locked after repeated attempt of access
|
||||
* **4756**: Attempt to add an account to a universal security group
|
||||
* **4757**: Attempt to remove an account from a universal security group
|
||||
* **4768**: Kerberos TGT request
|
||||
* **4771**: Kerberos pre-auth failure
|
||||
|
||||
### Account Logon
|
||||
|
||||
|
|
|
@ -14,15 +14,12 @@
|
|||
|
||||
## Paths
|
||||
|
||||
These parts of the registries are called hives. They can be found under the
|
||||
following path.
|
||||
|
||||
* `C:\Windows\System32\Config`
|
||||
* Default -> `HKEY_USERS\DEFAULT`
|
||||
* SAM -> `HKEY_LOCAL_MACHINE\SAM`
|
||||
* SECURITY -> `HKEY_LOCAL_MACHINE\Security`
|
||||
* SOFTWARE -> `HKEY_LOCAL_MACHINE\Software`
|
||||
* SYSTEM -> `HKEY_LOCAL_MACHINE\System`
|
||||
These parts of the registries are called hives. They can be found under `C:\Windows\System32\Config`.
|
||||
* Default -> `HKEY_USERS\DEFAULT`
|
||||
* SAM contains account names/status/groups, hashed password, login timestamps -> `HKEY_LOCAL_MACHINE\SAM`
|
||||
* SECURITY -> `HKEY_LOCAL_MACHINE\Security`
|
||||
* SOFTWARE -> `HKEY_LOCAL_MACHINE\Software`
|
||||
* SYSTEM -> `HKEY_LOCAL_MACHINE\System`
|
||||
|
||||
* `C:\Users\<username>\`
|
||||
* NTUSER.DAT -> `HKEY_CURRENT_USER`, hidden file
|
||||
|
@ -31,6 +28,9 @@ following path.
|
|||
|
||||
* `C:\Windows\AppCompat\Programs\Amcache.hve`
|
||||
|
||||
* `C:\Windows\security\database\`
|
||||
* `secedit.sdb`, access control configuration
|
||||
|
||||
### Transaction Logs
|
||||
|
||||
* Transaction `<name of registry hive>.LOG` of the registry hive
|
||||
|
@ -64,6 +64,7 @@ Following parts of EZTools should be taken note of.
|
|||
* RegRipper, cli and gui
|
||||
|
||||
## System Information
|
||||
|
||||
* OS Version -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion`
|
||||
* Computer Name -> `SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName`
|
||||
* Time Zone `SYSTEM\CurrentControlSet\Control\TimeZoneInformation`
|
||||
|
@ -160,6 +161,33 @@ GUIDs can be found in the following folder.
|
|||
|
||||
* `NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count`
|
||||
|
||||
## Network
|
||||
|
||||
Network configuration can be found in the following path.
|
||||
|
||||
* `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\NetworkList`
|
||||
|
||||
## Domain Account Information
|
||||
|
||||
The NT Directory Services `NTDS.dit` hive is an active directory database which contains information about the domain users.
|
||||
|
||||
Information stored about the domain users are for example, their full name, the username the Security identifier (SID),(domain & local) group memberships, hashed passwords for user accounts, login timestamps, last set password, expiration time of the current password, security policies, OUs and connections to other domains.
|
||||
|
||||
To get information out of the `NTDS.dit` hive, it has to be exported along with the SYSTEM hive to get the boot key of the system for decryption.
|
||||
|
||||
Use `ntdsutil` tool to export a snapshot of the information.
|
||||
|
||||
```sh
|
||||
C:\Windows\system32\ntdsutil.exe "activate instance ntds" "ifm" "create full C:\Windows\Temp\NTDS" quit quit
|
||||
```
|
||||
|
||||
Export the boot key of the system and use it for decryption.
|
||||
|
||||
```sh
|
||||
$BootKey = Get-BootKey -SystemHivePath 'C:\Windows\Temp\NTDS\registry\SYSTEM'
|
||||
Get-ADDBAccount -All -DBPath 'C:\Windows\Temp\NTDS\NTDS.dit' -BootKey $BootKey
|
||||
```
|
||||
|
||||
## Shim Cache
|
||||
|
||||
Application Compatibility, AppCompatCache
|
||||
|
|
Loading…
Reference in New Issue