Evidence of Execution
PrefetchAmcache.hveSystem Resource Usage Monitor (SRUM)Background Activity MontitorAutomaticDestinations JumplistsTask Scheduler FilesTask Scheduler Operational LogWindows Error Reporting Files (.WER)Tracing Registry KeysEventID 4688: A new process has been createdEventID 2004: Firewall Rule AddedEventID 2005: Firewall Rule ModifiedEventID 2006: Firewall Rule DeletedEventID 2071: Firewall Rule AddedEventID 2073: Firewall Rule ModifiedEventID 2052: Firewall Rule DeletedEventID 9707: Command Execution StartedEventID 4104: PowerShell Script Block Logging
Last updated