Skip to content

Cheat sheet — Windows Artifacts

Companion to Module 04 — Windows Artifacts · CC BY 4.0 — print it, pin it, share it.

Last reviewed: 2026-07

chainsaw — hunt EVTX without Windows

chainsaw hunt logs/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml   # apply Sigma rules
chainsaw hunt logs/ -s sigma/ -r rules/ --csv --output out/                  # + chainsaw rules, CSV out
chainsaw search logs/ -t 'Event.System.EventID: =4624'                       # field query, no rules
chainsaw search logs/ -e 4688 --json                                         # by event ID, JSON out
chainsaw dump Security.evtx --json                                           # raw EVTX → JSON
  • hunt = rule-driven triage (Sigma). search = you already know the field/value. Point it at a directory of .evtx — no Windows, no import.

Security event IDs worth memorizing

4624  logon success          (LogonType 3 = network, 10 = RDP)
4625  logon FAILURE           (bursts = brute force / spray)
4688  process creation        (GOLD for execution — parent + command line)
4672  special privileges assigned at logon (admin-equivalent)
4768  Kerberos TGT requested   4769  Kerberos service ticket (0x12 = account disabled/locked)
4720–4726  account created / enabled / password reset / deleted
7045  service installed (System log — persistence)
1102  SECURITY LOG CLEARED     (104 = System log cleared)

RegRipper — parse hives with plugins

rip.pl -r NTUSER.DAT -f ntuser          # run the ntuser profile (many plugins at once)
rip.pl -r SYSTEM   -p shimcache         # a single plugin
rip.pl -r SOFTWARE -p run               # autorun / Run keys
rip.pl -l                                # list available plugins

python-registry — script hive parsing offline

from Registry import Registry
reg = Registry.Registry("NTUSER.DAT")
key = reg.open("Software\\Microsoft\\Windows\\CurrentVersion\\Run")
for v in key.values():
    print(v.name(), "->", v.value())
print(key.timestamp())                  # LAST WRITE time of the key (not creation!)

Forensically important hives & keys

SYSTEM    \CurrentControlSet\Services            (service persistence)
          \CurrentControlSet\Control\...\AppCompatCache   (Shimcache — execution metadata)
SOFTWARE  \Microsoft\Windows\CurrentVersion\Run          (autorun persistence)
          \Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache  (scheduled tasks)
NTUSER.DAT \Software\Microsoft\Windows\CurrentVersion\Run
           \...\Explorer\RecentDocs, \...\RunMRU, \...\TypedPaths   (user activity / MRU)

Execution-artifact trio (check all three)

Prefetch  C:\Windows\Prefetch\NAME.EXE-XXXXXXXX.pf   → ran, when, run count
Shimcache SYSTEM hive, AppCompatCache                → metadata even if prefetch is disabled
Amcache   C:\Windows\appcompat\Programs\Amcache.hve  → SHA1 of the binary (the SPECIFIC file)

Gotchas worth remembering

  • Registry timestamps are last-write only — not creation, not access. Reading "the key was created last night" off a last-write time is a classic error that fabricates a timeline.
  • Artifacts cross-corroborate — never rest a case on one source. An attacker who clears one usually leaves the trail in another; a Security-log clear records itself as Event ID 1102.
  • Check all three execution artifacts. Prefetch can be disabled or wiped, but Shimcache and Amcache often survive — and Amcache's SHA1 proves the specific binary, not just "something ran."
  • 4688 is only as good as your audit policy. Process-creation logging (and command-line capture) must be enabled; absence of 4688 events may mean "not logged," not "nothing ran."
  • Parse hives offline with python-registry/RegRipper — read the raw hive from the image, never boot the evidence to browse the registry live.

Comments

Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).