From 622a3198a83109f6f3a54d5349a4c2821e4a1e6f Mon Sep 17 00:00:00 2001
From: whx <stefan@stefan.works>
Date: Sun, 26 Feb 2023 21:45:17 +0100
Subject: [PATCH] bump

---
 Forensics/Mail.md                   |  7 +++++++
 Forensics/OLEtools.md               | 11 ++++++++++-
 Forensics/Windows Event Logs.md     |  9 +++++++++
 Post Exploitation/Enum on Target.md |  5 +++++
 4 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 Forensics/Windows Event Logs.md

diff --git a/Forensics/Mail.md b/Forensics/Mail.md
index cd1defd..484c58d 100644
--- a/Forensics/Mail.md
+++ b/Forensics/Mail.md
@@ -6,6 +6,13 @@
 emlAnalyzer
 ```
 
+## Outlook
+
+* Outlook files like `.msg` can be read and changed to by perl-email-outlook-message via
+```sh
+msgconvert *.msg
+```
+
 ## References
 
 * [Email reputation](https://emailrep.io)
diff --git a/Forensics/OLEtools.md b/Forensics/OLEtools.md
index 251843e..99c1193 100644
--- a/Forensics/OLEtools.md
+++ b/Forensics/OLEtools.md
@@ -6,6 +6,8 @@
 
 ## Usage
 
+### OLEtools
+
 * Check content of a stream
 ```sh
 oledump.py file.doc  -Ss <No. of stream>
@@ -18,7 +20,7 @@ oledump.py -i file.doc
 olevba file.doc
 ```
 
-## Vipermonkey
+### Vipermonkey
 * For the lazy ones
 ```sh
 vmonkey file.doc
@@ -26,3 +28,10 @@ vmonkey file.doc
 
 ## scdbg
 * [scdbg repo](https://github.com/dzzie/SCDBG.git)
+
+## Outlook
+
+* Outlook files like `.msg` can be read and changed to by perl-email-outlook-message via
+```sh
+msgconvert *.msg
+```
diff --git a/Forensics/Windows Event Logs.md b/Forensics/Windows Event Logs.md
new file mode 100644
index 0000000..1a9433e
--- /dev/null
+++ b/Forensics/Windows Event Logs.md	
@@ -0,0 +1,9 @@
+# Windows Event Log
+
+## Dump Logfile
+
+Windows Event Logfiles can be dumped via
+```sh
+evtx_dump $EVENT_LOG > event.log
+evtx_dump -o json $EVENT_LOG > event.log
+```
diff --git a/Post Exploitation/Enum on Target.md b/Post Exploitation/Enum on Target.md
index 0da70fc..9071a52 100644
--- a/Post Exploitation/Enum on Target.md	
+++ b/Post Exploitation/Enum on Target.md	
@@ -77,6 +77,11 @@ cat /var/log/access.log | less
 
 ## Find Files
 
+* User files
+```sh
+find / -user $USER 2>/dev/null | grep -vE "run|proc|var"
+```
+
 * Find SUID permissions on files and dirs
 * `find / -perm /6000 -ls 2>/dev/null`