From 8e1db938f8c6ba07d8a990ff6c4019e7eddaab9f Mon Sep 17 00:00:00 2001 From: DulceMV Date: Mon, 13 Feb 2017 17:39:58 +1100 Subject: [PATCH] Formatting updates --- ...gate-machines-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md index 9d7f2ed9e4..0d3c736edc 100644 --- a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md @@ -168,7 +168,7 @@ Network connections | This folder contains a set of data points related to the c Prefetch files | Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list.

- Prefetch folder – Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files.

- PrefetchFilesList.txt – Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder. Processes | Contains a CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when trying to identify if there is a suspicious process and its state. Scheduled tasks | Contains a CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for a suspicious code set to run automatically. -Security event log | Contains the security event log which contains records of login or logout activity, or other security-related events specified by the system's audit policy. NOTE: Open the event log file using Event viewer. +Security event log | Contains the security event log which contains records of login or logout activity, or other security-related events specified by the system's audit policy.

NOTE: Open the event log file using Event viewer. Services | Contains the services.txt file which lists services and their states. SMB sessions | Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. This can help identify data exfiltration or lateral movement.

Contains files for SMBInboundSessions and SMBOutboundSession.

NOTE: If the file contains the following message: “ERROR: The system was unable to find the specified registry key or value.”, it means that there were no SMB sessions of this type (inbound or outbound). Temp Directories | Contains a set of text files that lists the files located in %Temp% for every user in the system.

This can help to track suspicious files that an attacker may dropped on the system.

NOTE: If the file contains the following message: “The system cannot find the path specified”, it means that there is no temp directory for this user, and might be because the user didn’t log in to the system.