Windows Security Artifacts

Log files & artifacts of built-in and popular apps in Windows that can aid red teams identify potentially important information about the target system or organization. These could include usernames & passwords, domain information, etc.

PowerShell:
By default, PowerShell in Windows 10 saves commands in a plaintext file located in the profile of each user. This file can be found in %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt.

File explorer recent items:
%userprofile%\AppData\Roaming\Microsoft\Windows\Recent\

Command prompt:
Press the F7 key to see the complete command prompt history. You can also type doskey /history in the CMD window to see the command history in the command prompt itself.

Notepad++:
By default, notepad++ saves backups of opened and created documents in %userprofile%\AppData\Roaming\Notepad++\backup\

Domain controller SYSVOL folder:
SYSVOL is the domain-wide share in Active Directory to which all authenticated users have read access. SYSVOL contains logon scripts, group policy data, and other domain-wide data which needs to be available anywhere there is a Domain Controller. All domain Group Policies are stored here: Error! Hyperlink reference not valid.. These polices could contain domain admin account credentials, a quick way to search for these is by using – findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml

IIS log files:
Can be found by default in %SystemDrive%\inetpub\logs\LogFiles

Temp folders:
Can be found by default in %Temp% & C:\windows\temp

Comments