-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathFiles.cfg
87 lines (87 loc) · 3.31 KB
/
Files.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
**********************************************************
* AChReport Configuration File *
* If this file does not exist the default is Run:AllAll *
**********************************************************
* Run:AllAll - Run All Sections
**********************************************************
Run:SmallDeleted - Run Small Deleted Files Section
Run:MediumDeleted - Run Medium Delete Files Section
Run:LargeDeleted - Run Large Delete Files Section
Run:LargeActive - Run Large Active Files Section
Run:TempActiveExe - Run Active EXE Files in Temp Directories Section
Run:TempDeletedExe - Run Deleted EXE Files in Temp Directories Section
* Run:SuccessRDP - Run Succesful RDP Logins Section
* Run:FailedLogins - Run Failed Logins Section
Run:FileBrowseArchive - Run Accessed Archive (.zip, .arc, etc..) Files Section
Run:FileBrowseHistory - Run Accessed Files Section
* Run:InetBrowseHistory - Run Internet Browser History Section
* Run:PrefetchHistory - Run Prefetch History Section
* Run:IPConnectionInfo - Run IP Connections Section
* Run:UserAssist - Run User Assist Section
* Run:AutoRuns - Run AutoRuns Section
* Run:Services - Run Services Section
* Run:ScheduledTasks - Run Scheduled Tasks Section
* Run:DNSCache - Run DNS Cache Section
* Run:RecycleBin - Run Recycle Bin Section
* Run:IndicatorsIP - Run Collected IP Indicators Section
* Run:IndicatorsHash - Run Collected Hash Indicators Section
* Run:IndicatorsDomain - Run Collected Domain Indicators Section
**********************************************************
**********************************************************
* Branding an PreConvert *
**********************************************************
*Brander:<h2>Merged Version</h2>
*PreConv:powershell -ExecutionPolicy Bypass -File .\Velo2Ach.ps1
**********************************************************
* Artifact:PathToArtifact (Velociraptor) *
**********************************************************
*Collect:Velociraptor
*MFTFile:\C\$MFT
*RegSoft:\C\Windows\System32\config\SOFTWARE
*RegSyst:\C\Windows\System32\config\SYSTEM
*RegUser:\C\Users
*AmCache:\C\Windows\appcompat\Programs\AmCache.hve
*Prefetc:\C\Windows\Prefetch
*EvtDir1:\C\Windows\System32\winevt\Logs
*EvtDir2:\C\Windows\System32\winevt\Logs
*Recycle:\C\$RECYCLE.BIN
*Browser:\Brw\BrowseHist.csv
*IPConns:\Sys\Cports.csv
*UsrAsst:\Sys\UserAssist.csv
*Powersh:\C\Users
*LNKFile:\C\Users
*AutoRun:\Arn\AutoRun.dat
*SchTsk1:\Sch
*SchTsk2:\C\Windows\System32\Tasks
*DNSIpcf:\Sys\IPCfgDNS.dat
*DNSCach:\Sys\DNSCache.csv
*ShelBag:\C\Users
**********************************************************
* Artifact:PathToArtifact (AChoir/X) *
**********************************************************
Collect:AChoirX
MFTFile:\RawData\MFT-C
RegSoft:\Reg\SOFTWARE
RegSyst:\Reg\SYSTEM
RegUser:\Reg
AmCache:\Reg\AmCache.hve
Prefetc:\Prf
EvtDir1:\evt\sys32
EvtDir2:\evt\nativ
Recycle:\RBin
Browser:\Brw\BrowseHist.csv
IPConns:\Sys\Cports.csv
UsrAsst:\Sys\UserAssist.csv
Powersh:\Psh
LNKFile:\Lnk
AutoRun:\Arn\AutoRun.dat
SchTsk1:\Sch
SchTsk2:\C\Windows\System32\Tasks
DNSIpcf:\Sys\IPCfgDNS.dat
DNSCach:\Sys\DNSCache.csv
ShelBag:\Reg
**********************************************************
* IOC:IOC1_Goes_Here
* IOC:IOC2_Goes_Here_etc
**********************************************************
IOC:Metasploit