Windows 10 What are the best Windows artefacts to look for a system hack?

[Cmann]

Hi I am an aspiring computer security investigator, I am currently creating a security respondent plan for a hacked Windows 10 machine. I’m using forensic autopsy software for testing purposes.

I have no idea what the hack is yet, I’ve just been told to think of possible scenarios of where to look. Currently I’m knowledgeable on Event Viewer but I need to be more flexible with my approach, if you have any recommendations that would be brilliant

 

[Neemobeer]

There are quite a few and also dependent on what logging in the environment.
Some are...

• DNS logs
• DHCP logs
• Running Processes
• Schedule Tasks
• Firewall logs and rules(local)
• Prefetch cache
• Event logs
• Files and hashes
• Services
• IIS or other web server logs
• syslog
• Powershell logging (if enabled)
• Current network connections ( usually need a memory dump and analysis)
• MRU lists for different applications
• Browser cache and history
• Autorun keys and startup directories
• UserInit reg
• Sysmon logs (has to be installed and enabled)
• Installed Applications

Handy list to look at
MITRE ATT&CK®
Link Removed

Good books to read
Link Removed

Link Removed