Archive History (Windows only) | 60 minutes | (Windows) 7-Zip Folder History: A registry key containing a list of archive files accessed using 7-Zip. (Windows) WinRAR ArcHistory: A registry key containing a list of archive files accessed using WinRAR.
| File Name: regular expression (case-insensitive) Example: [0-9A-F]{8}\.exe File Path: path (wildcards ? * ** supported) Example: C:Windows\Temp\**\*.exe
|
Browser History | 60 minutes | | |
Command History | 60 minutes | (Windows) PSReadline: A record of commands typed into a PowerShell terminal by the user. The history file is enabled by default, starting with PowerShell 5 on Windows 10 or newer. (macOS) Shell History: Commands recorded to the history files for Bash and Zsh shells.
| |
Deleted Files (Windows only) | 180 minutes | | File Name: regular expression (case-insensitive) Example: [0-9A-F]{8}\.exe File Path: path (wildcards ? * ** supported) Example: C:Windows\Temp\**\*.exe User Search: User SID or User Name selector. Example: ACME\jsmith
|
File Access | 60 minutes | (Windows) Jumplists: A feature of the Windows Taskbar that provides shortcuts to users for recently accessed files or applications. (Windows) OpenSavePidlMRU: A registry key containing a list of recently opened and saved files for a user’s account. (Windows) Recent Files: Contents of the shortcut (.lnk) files found in a user's Recent folder. These files represent files recently accessed for a user account. (Windows) ShellBags: Registry keys that record user layout preferences for each folder with which the user interacts. (Windows) TypedPaths: A registry key containing a list of paths that the user typed into the Windows Explorer path bar. (macOS) Recent Documents: Plist files located within a user's Library directory that contain a list of documents accessed by that user.
| Target File Name: regular expression (case-insensitive) Example: [0-9A-F]{8}\.exe Target File Path: path (wildcards ? * ** supported) Example: C:Windows\Temp\**\*.exe User Search: User SID or User Name selector. Example: ACME\jsmith
|
File Search | 180 minutes | (Windows, macOS) File Search: Search for a file across endpoints by specifying a file path that can include wildcards, and then filter those results based on the file size, the file name (supports regular expressions), or file hash (MD5, SHA1, or SHA256).
| File Path: path (wildcards ? * ** supported) Example: C:Windows\Temp\**\*.exe File Name: regular expression (case-insensitive) Example: [0-9A-F]{8}\.exe File Hash: Supports MD5, SHA1, and SHA256. Example: f9d9b9ded9a67aa3cfdbd5002f3b524b265c4086c188e1be7c936ab25627bf01 Size Example: >= 100 MB
|
Log Search | 180 minutes | (Windows) Event Log: A component of Microsoft Windows, where the user can view a record of events that occurred within a system or process. (macOS) Apple Unified Logs: Predicate is a custom filter component for Apple Unified Logs.
| Event Log Channel: Does not support wildcards. Example: Security Event ID: Example: 4624 Providers: Does not support wildcards. Example: Security Message: regular expression (case-insensitive) Example: [0-9A-F]{8}\.exe Predicate: Custom filter component for Apple Unified Logs. Example: eventType=logEvent AND eventMessage Contains abc
|
Network Data | 60 minutes | (Windows) ARP Cache: A cache of Address Resolution Protocol (ARP) records for resolved MAC and IP addresses. (Windows) DNS Cache: A cache of Domain Name System (DNS) records for resolved domains and IP addresses. (Windows, macOS) Hosts File: Listing of entries from the etc/hosts file. (macOS) Recent Places: A plist file located within a user's Library directory that contains a list of recently accessed servers and hosts.
| IP Address: IPv4 or IPv6 addresses. Example: 10.0.0.5 Domain: regular expression (case-insensitive) Example: goo.*\.com Path: path (wildcards ? * ** supported) Example: /Volumes/VMware* User Search: User SID or User Name selector. Example: ACME\jsmith
|
Persistence | 60 minutes | (Windows) Drivers: Windows device drivers installed on each endpoint. (Windows) Registry Persistence: A collection of registry keys that can be used for malware persistence. (Windows) Scheduled Tasks: Tasks used to execute Windows programs or scripts at specified intervals. (Windows) Services: Windows applications that run in the background and do not require user interaction. (Windows) Shim Databases: Databases used by the Application Compatibility Infrastructure to apply shims to executables for backwards compatibility. These databases can be used to inject malicious code into legitimate processes and maintain persistence on an endpoint. (Windows) Startup Folder: Contents of the shortcut .lnk files found in the Startup folder for both the system and users. The folders are used to launch applications during system startup or user logon. (Windows) WMI Persistence: List of WMI EventConsumers and any EventFilters that are bound to them using a FilterToConsumerBinding. WMI EventConsumers can be used for fileless malware persistence. (macOS) Cron: A system utility that executes programs or scripts at specified intervals. (macOS) Launchd: Listing of applications and daemons configured to launch using the launchd process. (macOS) Login Items: Plist files that contain applications, files, or folders configured to launch during user login.
| Registry Path: path (wildcards ? * ** supported) Example: HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Run\* Executable Path: path (wildcards ? * ** supported) Example: C:Windows\Temp\**\test.exe User Search: User SID or User Name selector. Example: ACME\jsmith SHA256: Supports SHA256 hashes. Example: f9d9b9ded9a67aa3cfdbd5002f3b524b265c4086c188e1be7c936ab25627bf01 Command: regular expression (case-insensitive) Example: /bin/sh /private/etc/periodic/weekly/.*
|
Process Execution | 60 minutes | (Windows) Amcache: A registry hive used by the Application Compatibility Infrastructure to cache the details of executed or installed programs. (Windows) Background Activity Monitor: Per-user registry keys created by Background Activity Monitor (BAM) service to store the full paths of executable files and a timestamp, indicating when they were last executed. (Windows) CidSizeMRU: A registry key containing a list of recently launched applications. (Windows) LastVisitedPidlMRU: A registry key containing a list of the applications and folder paths associated with recently opened files found in the user’s OpenSavePidMRU key. (Windows) Prefetch: A type of file created to optimize application startup in Windows. These files contain a run count for each application, between one and eight timestamps of the most recent executions, and a record of all the files opened for a set duration after the application was started. (Windows) Recentfilecache: A cache created by the Application Compatibility Infrastructure to store the details of executed or installed programs (Windows 7 only). (Windows) Shimcache: A registry key used by the Application Compatibility Infrastructure to cache details about local executables. (Windows) UserAssist: A registry value that records a count for each application that a user launches via the Windows UI. (Windows) Windows Activities: A database containing user activity for a particular Microsoft user account, potentially across multiple devices. This is also called the Windows Timeline. (macOS) CoreAnalytics: A diagnostic log that contains details of files executed on the system. (macOS) Recent Applications: A plist file located within a user's Library directory that contains a list of applications opened by that user.
| Executable File Name: regular expression (case-insensitive) Example: [0-9A-F]{8}\.exe Executable Path: path (wildcards ? * ** supported) Example: C:Windows\Temp\**\test.exe User Search: User SID or User Name selector. Example: ACME\jsmith SHA256: Supports SHA256 hashes. Example: f9d9b9ded9a67aa3cfdbd5002f3b524b265c4086c188e1be7c936ab25627bf01
|
Registry Search (Windows only) | 180 minutes | | Path: path (wildcards ? * ** supported) Example: HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Run\* Data: regular expression (case-insensitive) Example: [0-9A-F]{8}\.exe
|
Remote Access (Windows only) | 60 minutes | (Windows) AnyDesk Connection Logs: Records of activity found in the AnyDesk connection logs. (Windows) AnyDesk Trace Logs: Records of activity found in the AnyDesk trace logs. (Windows) LogMein: Records of activity found in the LogMeIn event logs. (Windows) TeamViewer: Records of incoming TeamViewer connections found in the Connections_incoming.txt file. (Windows) User Access Logging: A Windows Server feature that records details about client access to the server. Only found on Windows Server 2012 and newer.
| |
System Statistics (Windows only) | 60 - 120 minutes | (Windows) Application Resource Usage: A table in the System Resource Usage database that stores statistics pertaining to resource usage by running applications. (Windows) Network Connectivity Usage: A table in the System Resource Usage database that stores statistics pertaining to network connections, containing the start time and duration of the connections for each network interface. (Windows) Network Data Usage: A table in the System Resource Usage database that stores statistics pertaining to network data usage for running applications. Includes application path, network interface, bytes sent, and bytes received.
| Application: path (wildcards ? * ** supported) Example: C:Windows\Temp\**\test.exe User Search: User SID or User Name selector. Example: ACME\jsmith
|
User Searches | 60 minutes | (Windows) WordWheelQuery: Registry key containing a list of terms that a user searched for in Windows Explorer. (macOS) Spotlights Shortcuts: A plist file that contains the Spotlight search terms entered by each user and the items that they selected from the search results.
| User Search: User SID or User Name selector. Example: PANW\jsmith Search Regex: regular expression (case-insensitive) Example: [0-9A-F]{8}\.exe
|
Linux |
Core Linux | 60 minutes | Authorized Keys: Contains public keys that are permitted to log in as a specific user via SSH. Attackers can add their own keys to this file to gain persistent access to a system. | Comment: regular expression (case-sensitive) Example: tar\cvzf.* |
Known Hosts: The known_hosts file stores the public keys of SSH servers that a user has connected to. This helps to verify the server's identity and prevent man-in-the-middle attacks by alerting the user if the server's key changes. | Host: IP or hostname (regular expression) Example: 4\.2\.2\.*, *\.google\.com |
System Information: Provides fundamental hardware and system information, including manufacturer, model, UUID, and memory details. This helps identify and profile the system. | File Name: regular expression (case-sensitive) Example: [0-9A-F]{8} |
Systemd Journal: | None required |
Running Processes: A detailed snapshot of running processes on the system. This includes process identifiers, user context, executable path, parent-child relationships, state, and performance metrics. It is a cornerstone artifact for live system analysis. | File Name: regular expression (case-sensitive) Example: [0-9A-F]{8} Process Owner: Entries are either numeric UIDs or text usernames. Example: 1001 Path: file path Example: /usr/local/share/*/bin/*
|
Network Connections: Lists active network connections and listening ports. Essential for identifying unauthorized network communications, malware command and control (C2) channels, or unexpected listening services. | |
Firewall Rules: Firewall rules (for example, from iptables) that control network traffic. Analyzing these rules is important for understanding the network security posture and identifying potentially malicious or overly permissive configurations. NoteSupported only for the UFW tool (Firewall managment tool for some Linux distributions such as Ubuntu) | Source: regular expression (case-insensitive) Example: [0-9A-F]{8}\.exe Destination: regular expression (case-insensitive) Example: [0-9A-F]{8}\.exe
|
Kernel Modules: Lists kernel modules on the system, their state, and the associated file path. Malicious actors may use custom kernel modules (rootkits) to hide their presence or gain privileged access. | |
Environment Variables: Lists environment variables for a given context (for example, a user's shell or a specific process). These variables define the execution environment and can contain important paths, configurations, or sensitive data. | |
Mounted Filesystems: Lists all mounted file systems, their sources (devices), types, and unique identifiers. This is useful for discovering connected storage, network shares, and understanding the file system layout. | None required |
User Login & Session History: Records of user login sessions from the last command, showing who logged in, from where, and for how long. This is essential for auditing user access and investigating unauthorized logins. | User Login |
Command History: Detailed records of commands from user shell history files (for example, bash_history, .zsh_history). This artifact is essential for tracking user activity and command execution. | |
Auditd Rules: Refers to the log data collected by the Linux Audit Daemon, which is a core component of security auditing. It records a detailed, chronological trail of system events based on a set of pre-configured rules. | |
System-Wide Configuration: Key-value pairs parsed from various configuration files within the /etc directory, such as /etc/resolv.conf for DNS settings. This artifact helps understand the system's network and operational configuration. | Source: regular expression (case-insensitive) Example: [0-9A-F]{8}\.exe |
File Listing: A plain text file used in digital forensics to create a detailed timeline of a file system activity. | File Name: regular expression (case-sensitive) Example: [0-9A-F]{8} User Id: Entries are either numeric UIDs or text usernames. Example: 100001 Group Id: Entries are either numeric GIDs or text group names. Example: 0, 1
|
Files & Processes: The artifact lists the files opened by the processes. This listing is essential for mapping a process directly to the files, loaded libraries, and network sockets it's using, which can immediately reveal hidden activities or active connections. | |
System Configuration Files: Shell profile files (for example, .bashrc, .profile) that contain commands and configurations executed at session startup. They are analyzed for persistence mechanisms, aliases, and malicious environment modifications. | None required |
Service Status: Lists system daemons or services (for example, from systemd). Analyzing these is key to understanding which long-running processes are configured on the system and to spot malicious or unnecessary services. | |