Подпишитесь на рассылку и получайте первым информацию о предстоящих мероприятиях
| Phase | Key Actions | |-------|--------------| | | Create Jump Bag, establish legal authority, hash known good files. | | Detection | EDR alerts (Carbon Black, CrowdStrike, SentinelOne), SIEM correlation. | | Initial Triage | Collect RAM, $MFT, Event Logs ($LogFile, $UsnJrnl), Prefetch, Shimcache. | | Time Stomping Check | Compare $STANDARD_INFORMATION (SI) vs $FILE_NAME (FN) timestamps. | | Persistence Hunting | Run keys, Scheduled Tasks, Services, WMI subscriptions, Boot Execute. | | Containment | Network isolation, kill chain interruption, credential reset. |
Tool used to parse large Windows Event logs via SQL-like queries. 🚀 Step-by-Step Indexing Method for508 index
| Term | Context | Book/Page | |------|---------|------------| | Jump Lists | DestList parsing | B2, p. 112 | | Jump Lists | Forensic artifacts of executed programs | B2, p. 115 | | Jump Lists | Timeline correlation with LNK files | B2, p. 118 | | Phase | Key Actions | |-------|--------------| |
: The primary search term (e.g., "MFT Analysis" or "Shimcache"). | | Time Stomping Check | Compare $STANDARD_INFORMATION
: A high-quality index often includes brief "cliff-notes" or definitions so you don't even have to open the books for straightforward questions [12, 25]. Core Content Categories
: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.
: The specific artifact or technique (e.g., "Shimcache" or "WMI Persistence"). : The Book Number and Page Number. Description/Cheat Sheet
Подпишитесь на рассылку и получайте первым информацию о предстоящих мероприятиях
*Компания Meta Platforms Inc. признана экстремистской организацией, и ее деятельность запрещена на территории РФ. WhatsApp является ее продуктом.