Commit 8ba59b7
Changed files (37)
networking
windows
cli
networking/protocols/ethernet.md
@@ -1,3 +1,10 @@
++++
+date = "2016-12-01"
+draft = true
+title = ""
+
++++
+
# Ethernet
Systems communicating over Ethernet divide a stream of data into shorter pieces called frames. Each frame contains source and destination MAC addresses, and error-checking data so that damaged frames can be detected and discarded; most often, higher-layer protocols trigger retransmission of lost frames. As per the OSI model, Ethernet provides services up to and including the data link layer.[1]
@@ -46,4 +53,4 @@ Short description of why this protocol has a state machine and what it attempts
## References
-* [1]: http://www.tcpipguide.com/free/t_DataLinkLayerLayer2.htm
\ No newline at end of file
+* [1]: http://www.tcpipguide.com/free/t_DataLinkLayerLayer2.htm
networking/protocols/ipv4.md
@@ -1,3 +1,9 @@
++++
+date = "2016-12-01"
+draft = true
+title = ""
+
++++
# IPv4 - Internet Protocol Version 4
IPv4 is a connectionless protocol for use on packet-switched networks. It
@@ -74,4 +80,4 @@ IPv4 Header length = **24 bytes**
* [IPv4 Protocol Numbers](https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers)
[1]: ../packet_forensics/ipv4_ttl_ws.md
-[2]: ./lists/ip_protocol_numbers.md
\ No newline at end of file
+[2]: ./lists/ip_protocol_numbers.md
networking/protocols/tcp.md
@@ -1,3 +1,9 @@
++++
+date = "2016-12-01"
+draft = true
+title = ""
+
++++
# TCP - Transmission Control Protocol
TCP provides reliable, ordered, and error-checked delivery of a stream of bytes
@@ -91,4 +97,4 @@ TODO: Three way handshake description
*
[1]: ../packet_forensics/ephemeral_ports.md
-[2]: ../packet_forensics/tcp_options_p0f.md
\ No newline at end of file
+[2]: ../packet_forensics/tcp_options_p0f.md
networking/protocols/template.md
@@ -1,3 +1,9 @@
++++
+date = "2016-12-01"
+draft = true
+title = ""
+
++++
# PN - Protocol Name
@@ -34,4 +40,4 @@ Short description of why this protocol has a state machine and what it attempts
* [rfc####](link)
* [Source Enumeration via PN packets](../packet_forensics/pn_ids.md)
-* [PN address schemes](../compnents/subnetting/pn.md)
\ No newline at end of file
+* [PN address schemes](../compnents/subnetting/pn.md)
networking/protocols/udp.md
@@ -1,3 +1,9 @@
++++
+date = "2016-12-01"
+draft = true
+title = ""
+
++++
# UDP - User Datagram Protocol
UDP uses a simple connectionless transmission model with a minimum of protocol
@@ -53,4 +59,4 @@ bits 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* [1](https://tools.ietf.org/html/rfc768)
* [TODO rfc####](link)
* [Source Enumeration via TODO packets](../packet_forensics/todo_ids.md)
-* [TODO address schemes](../compnents/subnetting/todo.md)
\ No newline at end of file
+* [TODO address schemes](../compnents/subnetting/todo.md)
networking/protocols/vlan.md
@@ -1,3 +1,9 @@
++++
+date = "2016-12-01"
+draft = true
+title = ""
+
++++
# VLAN - Virtual LAN tagging
IEEE 802.1Q is the networking standard that supports virtual LANs (VLANs) on an
@@ -23,7 +29,7 @@ Ethernet+VLAN total byte count = 6+6+2+2+2+4 = **24 Bytes**
|--------------------------|------------------------------------|--------------------------------------------|
| `ether[0:4], ether[4:2]` | Dest MAC Address | |
| `ether[6:4], ether[8:2]` | Src MAC Address | |
-| `ether[12:2]` | TPID | Tag Protocol ID = `0x8100 |
+| `ether[12:2]` | TPID | Tag Protocol ID = `0x8100` |
| `ether[14:2]` | TCI | Tag control information (PCP + DEI + VLAN) |
| `ether[14] & 0xE0` | PCP | Priority Control Point - 3bits |
| `ether[14] & 0x10` | DEI | Drop Eligible Indicator |
@@ -43,4 +49,4 @@ Ethernet+VLAN total byte count = 6+6+2+2+2+4 = **24 Bytes**
## Additional resources
-* [VLAN tags - wikipedia](https://en.wikipedia.org/wiki/IEEE_802.1Q)
\ No newline at end of file
+* [VLAN tags - wikipedia](https://en.wikipedia.org/wiki/IEEE_802.1Q)
networking/index.md
@@ -0,0 +1,48 @@
++++
+date = "2016-12-01"
+draft = false
+title = "Networking"
+
++++
+
+# Networking
+
+## Protocols
+
+* [Ethernet](./protocols/ethernet)
+* [VLAN](./protocols/vlan)
+* [IP](./protocols/ipv4)
+* [TCP](./protocols/tcp)
+* [UDP](./protocols/upd)
+* [ARP](./protocols/arp)
+* [ICMP](./protocols/icmp)
+* [DHCP](./protocols/dhcp)
+* Lists
+ * [EtherTypes](./protocols/lists/ether_types)
+ * [IPv4 Protocol Numbers](./protocols/lists/ipv4_protocol_numbers)
+ * [Subnets and CIDRs](./protocols/lists/subnets_and_cidrs)
+ * [TCP/UDP Ports](./protocols/lists/tcp_udp_ports)
+
+## Packet Forensics
+
+* [MAC OUI](./packet_forensics/mac_oui)
+* [IPv4 initial TTL & TCP Window Size](./packet_forensics/ipv4_ttl_ws)
+* [Source Ephemeral ports](./packet_forensics/ephemeral_ports)
+* [TCP options (p0f)](./packet_forensics/tcp_options_p0f)
+* [DHCP options](./packet_forensics/dhcp_options)
+
+## Components
+
+* [Broadcast Domains](./components/broadcast_domains)
+* [Subnetting](./components/subnetting)
+* [Switching](./components/switching)
+* [Routing](./components/routing)
+
+## Pacet Capture
+
+* [bpf](./packet_capture/bpf)
+* [phd](./packet_capture/phd)
+* [tcpdump](./packet_capture/tcpdump)
+* [tshark](./packet_capture/tshark)
+* [wireshark](./packet_capture/wireshark)
+* [snoop](./packet_capture/snoop)
networking/readme.md
@@ -1,41 +0,0 @@
-# Networking
-
-## Protocols
-
-* [Ethernet](./protocols/ethernet.md)
-* [VLAN](./protocols/vlan.md)
-* [IP](./protocols/ipv4.md)
-* [TCP](./protocols/tcp.md)
-* [UDP](./protocols/upd.md)
-* [ARP](./protocols/arp.md)
-* [ICMP](./protocols/icmp.md)
-* [DHCP](./protocols/dhcp.md)
-* Lists
- * [EtherTypes](./protocols/lists/ether_types.md)
- * [IPv4 Protocol Numbers](./protocols/lists/ipv4_protocol_numbers.md)
- * [Subnets and CIDRs](./protocols/lists/subnets_and_cidrs.md)
- * [TCP/UDP Ports](./protocols/lists/tcp_udp_ports.md)
-
-## Packet Forensics
-
-* [MAC OUI](./packet_forensics/mac_oui.md)
-* [IPv4 initial TTL & TCP Window Size](./packet_forensics/ipv4_ttl_ws.md)
-* [Source Ephemeral ports](./packet_forensics/ephemeral_ports.md)
-* [TCP options (p0f)](./packet_forensics/tcp_options_p0f.md)
-* [DHCP options](./packet_forensics/dhcp_options.md)
-
-## Components
-
-* [Broadcast Domains](./components/broadcast_domains.md)
-* [Subnetting](./components/subnetting.md)
-* [Switching](./components/switching.md)
-* [Routing](./components/routing.md)
-
-## Pacet Capture
-
-* [bpf](./packet_capture/bpf.md)
-* [phd](./packet_capture/phd.md)
-* [tcpdump](./packet_capture/tcpdump.md)
-* [tshark](./packet_capture/tshark.md)
-* [wireshark](./packet_capture/wireshark.md)
-* [snoop](./packet_capture/snoop.md)
\ No newline at end of file
windows/cli/sysinternals/handle.md
@@ -1,3 +1,11 @@
++++
+date = "2016-12-01"
+draft = true
+title = ""
+
++++
+
+
# handle
https://technet.microsoft.com/en-us/sysinternals/handle
windows/cli/sysinternals/listdlls.md
@@ -1,3 +1,9 @@
++++
+date = "2016-12-01"
+draft = true
+title = ""
+
++++
# listdlls
windows/cli/sysinternals/pskill.md
@@ -1,3 +1,9 @@
++++
+date = "2016-12-01"
+draft = true
+title = ""
+
++++
# pskill
https://technet.microsoft.com/en-us/sysinternals/pskill
windows/cli/sysinternals/pslist.md
@@ -1,3 +1,9 @@
++++
+date = "2016-12-01"
+draft = true
+title = ""
+
++++
# pslist
https://technet.microsoft.com/en-us/sysinternals/pslist.aspx
windows/cli/sysinternals/psservice.md
@@ -1,3 +1,9 @@
++++
+date = "2016-12-01"
+draft = true
+title = ""
+
++++
# psservice
https://technet.microsoft.com/en-us/sysinternals/psservice
windows/cli/arp.md
@@ -1,3 +1,10 @@
++++
+date = "2016-12-01"
+draft = true
+title = ""
+
++++
+
# arp
https://technet.microsoft.com/en-us/library/bb490864.aspx
windows/cli/cmd.md
@@ -1,3 +1,11 @@
++++
+date = "2016-12-01"
+draft = true
+title = ""
+
++++
+
+
# cmd.exe
## File location
@@ -7,4 +15,4 @@
| **x86 system** | system32 | N/A |
| **x64 system** | syswow64 | system32 |
-Native Commands: `copy`, `move`, `dir`, `set`, `date`, `help`, `path`
\ No newline at end of file
+Native Commands: `copy`, `move`, `dir`, `set`, `date`, `help`, `path`
windows/cli/driverquery.md
@@ -1,3 +1,9 @@
++++
+date = "2016-12-01"
+draft = true
+title = ""
+
++++
# driverquery
https://technet.microsoft.com/en-us/library/bb490896.aspx
windows/cli/ds.md
@@ -1,3 +1,9 @@
++++
+date = "2016-12-01"
+draft = true
+title = ""
+
++++
# Links
windows/cli/icacls.md
@@ -0,0 +1,191 @@
++++
+date = "2016-12-02"
+draft = false
+title = "icacls"
+
++++
+
+#`icacls`
+
+Change file and folder permissions - display or modify Access Control Lists (ACLs) for files and folders.
+
+The `icacls` command should be used instead of `cacls` on Windows Server 2003
+SP 2 and higher.
+
+
+Unfortunately the TechNet documentation isn't very complete. Using both
+of the following links provides a good picture of the command.
+
+| Description | Link |
+|-----------------------|-------------------------------------------------------------|
+| Good syntax reference | <http://ss64.com/nt/icacls.html> |
+| Technet Article | <https://technet.microsoft.com/en-us/library/cc753525.aspx> |
+
+## Syntax through Examples
+
+```bash
+# Give a user full control over a fiile
+icacls "C:\Example\UserFiles\Andrew.txt" /grant Andrew:F
+
+# Grant a domain user
+icacls "C:\Windows\notepad.exe" /grant WIN7\Administrator:F
+
+# Give Awesome group members Read Only access to the Docs directory and all files contained
+icacls "C:\Example\Docs" /grant Awesome:(OI)(R)
+
+# Give Cool group members write only access to a directory and all subfolders
+icacls "C:\Example" /grant Cool:(CI)(W)
+
+# Disable Inheritance, but keep the rules that were applied through inheritance
+icacls "C:\Example\Docs\Restricted.txt" /inheritance:D
+
+# Remove a user and check permissions
+icacls "C:\Example\Docs\Restricted.txt" /remove Tom && icacls "C:\Example\Docs\Restricted.txt"
+```
+
+More info on the inheritance flag:
+
+```bash
+# Disable inheritance without removing the applied rules
+/inheritance:D
+
+# Enable inheritance
+/inheritance:E
+
+# Remove all inherited rules - be careful with this one
+/inheritance:R
+```
+
+```
+icacls file /inheritance:d /remove:g "Authenticated Users"
+icacls file /inheritance:d /remove:g "Users
+```
+
+Additional things to think about:
+
+```bash
+ /T Traverse all subfolders to match files/directories.
+
+ /C Continue on file errors (access denied) Error messages are still displayed.
+
+ /L Perform the operation on a symbolic link itself, not its target.
+
+ /Q Quiet - supress success messages.
+
+ /grant :r user:permission
+ Grant access rights, with :r, the permissions
+ will replace any previouly granted explicit permissions.
+ Otherwise the permissions are added.
+
+ /deny user:permission
+ Explicitly deny the specified user access rights.
+ This will also remove any explicit grant of the
+ same permissions to the same user.
+
+ /remove[:[g|d]] User
+ Remove all occurrences of User from the acl.
+ :g remove all granted rights to that User/Sid.
+ :d remove all denied rights to that User/Sid.
+```
+
+## Values to Remember
+
+### Permisions
+
+```bash
+icacls "C:\File Name" /grant Andrew:F
+```
+
+| Perm | Description |
+|-----:|:------------------------|
+| `N` | No access |
+| `F` | Full access |
+| `M` | Modify access |
+| `RX` | Read and execute access |
+| `R` | Read-only access |
+| `W` | Write-only access |
+| `D` | Delete access |
+
+### Inheritance codes
+
+Some terms:
+1. Container (C)
+ * Generally a folder, in regard to the filesystem
+2. Object (O)
+ * This is a file
+
+
+| Rights | Description |
+|--------|------------------------------------------------------------------------------------------------------------------------------------------------|
+| `(I)` | "Inherited": This ACE was inherited from the parent container. |
+| `(OI)` | "Object inherit": This ACE will be inherited by objects placed in this container. |
+| `(CI)` | "Container inherit": This ACE will be inherited by subcontainers placed in this container. |
+| `(IO)` | "Inherit only": This ACE will be inherited (see OI and CI), but does not apply to this object itself. |
+| `(NP)` | "Do not propagate": This ACE will be inherited by objects and subcontainers one level deep โ it will not apply to things inside subcontainers. |
+
+Example:
+
+```bash
+# Give Andrew full control over the "MyDocs" folder, subfolder, and files
+icacls "C:\MyDocs" /grant Andrew:(OI)(CI)(F)
+```
+
+What combined inheritance codes can mean:
+
+| Inheritance Code | Description |
+|-----------------:|:------------------------------------|
+| `(OI)` | This folder and files |
+| `(CI)` | This folder and subfolders. |
+| `(OI)(CI)` | This folder, subfolders, and files. |
+| `(OI)(CI)(IO)` | Subfolders and files only. |
+| `(CI)(IO)` | Subfolders only. |
+| `(OI)(IO)` | Files only. |
+
+### Individual Rights
+
+Specific rights can be specified as well, comma-separated and in parentheses:
+
+```bash
+icacls "C:\My Folder" /grant "Andrew":(DE,RC,WDAC)
+```
+
+| Right | Description |
+|-------:|:-----------------------------|
+| `DE` | Delete |
+| `RC` | Read control |
+| `WDAC` | Write DAC |
+| `WO` | Write owner |
+| `S` | Synchronize |
+| `AS` | Access system security |
+| `MA` | Maximum allowed |
+| `GR` | Generic read |
+| `GW` | Generic write |
+| `GE` | Generic execute |
+| `GA` | Generic all |
+| `RD` | Read data/list directory |
+| `WD` | Write data/add file |
+| `AD` | Append data/add subdirectory |
+| `REA` | Read extended attributes |
+| `WEA` | Write extended attributes |
+| `X` | Execute/traverse |
+| `DC` | Delete child |
+| `RA` | Read attributes |
+| `WA` | Write attributes |
+
+## Interpreting Output
+
+Be able to interpret output like this:
+
+```bash
+icacls "C:\Folder Name"
+. NT AUTHORITY\IUSR:(M)
+ BUILTIN\IIS_IUSRS:(M)
+ BUILTIN\IIS_IUSRS:(OI)(CI)(M)
+ NT AUTHORITY\IUSR:(OI)(CI)(M)
+ BUILTIN\IIS_IUSRS:(I)(OI)(CI)(RX)
+ NT AUTHORITY\IUSR:(I)(OI)(CI)(RX)
+ NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
+ BUILTIN\Administrators:(I)(OI)(CI)(F)
+```
+
+
windows/cli/nbstat.md
@@ -1,3 +1,9 @@
++++
+date = "2016-12-01"
+draft = true
+title = ""
+
++++
# nbstat
https://technet.microsoft.com/en-us/library/cc940106.aspx
windows/cli/netsh.md
@@ -1,13 +1,22 @@
++++
+date = "2016-12-01"
+draft = true
+title = ""
+
++++
# `netsh`
Advanced networking command-line utility.
Resources
-| Description | Link |
+| Description | Link |
|--------------------------------------------------------------|--------------------------------------------------------------------------|
| Shows: Enabling ports, services, programs, logging, and more | <https://support.microsoft.com/en-us/kb/947709> |
| Logging Specific information | <https://technet.microsoft.com/en-us/library/cc787462%28v=ws.10%29.aspx> |
+| Disabling specific firewall profiles | [MSDN](https://msdn.microsoft.com/en-us/library/dd772588) |
+| `netsh advfirewall firewall` docs | [TechNet](https://technet.microsoft.com/en-us/library/dd734783) |
+| Some additional examples (old and new firewall cmds) | [support.microsoft](https://support.microsoft.com/en-us/kb/947709) |
| | |
windows/cli/netstat.md
@@ -1,3 +1,9 @@
++++
+date = "2016-12-01"
+draft = true
+title = ""
+
++++
# netstat
https://technet.microsoft.com/en-us/library/bb490947.aspx
windows/cli/pathping.md
@@ -1,3 +1,10 @@
++++
+date = "2016-12-01"
+draft = true
+title = ""
+
++++
+
# pathping
https://technet.microsoft.com/en-us/library/bb490964.aspx
windows/cli/ping.md
@@ -1,3 +1,11 @@
++++
+date = "2016-12-01"
+draft = true
+title = ""
+
++++
+
+
# ping
https://technet.microsoft.com/en-us/library/bb490968.aspx
windows/cli/sc.md
@@ -1,3 +1,9 @@
++++
+date = "2016-12-01"
+draft = true
+title = ""
+
++++
# `sc`
The Services Controller (SC) utility is native to Windows, and is included with the installation of the operating system. It includes a number of options that provide the functionality to allow you to view, manage and configure the services on the local computer as well as a remote computer.
windows/cli/taskkill.md
@@ -1,4 +1,10 @@
++++
+date = "2016-12-01"
+draft = true
+title = ""
+
++++
# taskkill
https://technet.microsoft.com/en-us/library/bb491009.aspx
windows/cli/tasklist.md
@@ -1,3 +1,9 @@
++++
+date = "2016-12-01"
+draft = true
+title = ""
+
++++
# tasklist
https://technet.microsoft.com/en-us/library/bb491010.aspx
windows/cli/template.md
@@ -1,3 +1,9 @@
++++
+date = "2016-12-01"
+draft = true
+title = ""
+
++++
# command name
Link to online man page or main documentation
windows/cli/tracert.md
@@ -1,3 +1,9 @@
++++
+date = "2016-12-01"
+draft = true
+title = ""
+
++++
# tracert
https://technet.microsoft.com/en-us/library/cc940128.aspx
windows/img/AuditingEventTypes.PNG
Binary file
windows/img/AuditingRegistry.PNG
Binary file
windows/auditing.md
@@ -0,0 +1,234 @@
++++
+date = "2016-12-01"
+draft = false
+title = "Windows Auditing"
+
++++
+
+### Useful Links
+
+| Title | Link | Description |
+|-----------------------------------------|---------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Advanced Security Audit Policy Settings | [technet](https://technet.microsoft.com/en-us/library/dn319056.aspx) | Provides information about the Advanced Audit policy settings that are available in Windows operating systems and the audit events that they generate |
+| Audit Policy | [technet](https://technet.microsoft.com/en-us/library/cc766468%28v=ws.10%29.aspx) | Has a section for category / subcategory description |
+| Windows Security Log Events | [ultimate windows security](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx) | Lookup Event Types |
+
+### Registry Information
+
+
+
+
+| Value for A-G | Meaning |
+| --------------: | :------------------------------------ |
+| `1` | Success Auditing is enabled |
+| `2` | Failure Auditing is enabled |
+| `3` | Both Succes and Failure are enabled |
+
+| Value for Z | Meaning |
+| ------------: | :------------------- |
+| `0` | Policy is disabled |
+| `1` | Policy is enabled |
+
+__NOTE:__ You can have an audit policy (such as Audit Successful and Failed
+Logon Attempts), but have it disabled. You may also have an enabled audit policy
+that audits nothing.
+
+### Auditable Event Categories
+
+| Category | Description |
+|--------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| System | User restarts or shuts down the computer. Additionally, audits events that affect system security or the security log. |
+| Logon | User logs on or off the local computer. This also audits attempts to make a network connection |
+| Object Access | User gains access to a file folder or printer, or any other securable object |
+| Privilege Use | User exercises a right such as taking ownership of a file, or attempts to |
+| Detail Tracking | Application performs an action such as program activation, some forms of handle duplication, indirect access to an object,and process exit. |
+| Policy Change | Change is made to the user security options, user rights, or Audit policies |
+| Account Management | Administrator creates, changes, or deletes a user account or group. Also, audits password changes. |
+| Directory Service Access | User gains access to an Active Directory object |
+| Account Logon | Domain controller receives a request to validate a user account. Additionally audits logon attempts by privileged accounts that log on to the domain controller. These events are generated when the Kerberos Key Distribution Center (KDC) logs on to the domain controller. |
+
+### Event Types ([msdn](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363662.aspx))
+
+| Event type | Description |
+|---------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Error | An event that indicates a significant problem such as loss of data or loss of functionality. For example, if a service fails to load during startup, an Error event is logged. |
+| Warning | An event that is not necessarily significant, but may indicate a possible future problem. For example, when disk space is low, a Warning event is logged. If an application can recover from an event without loss of functionality or data, it can generally classify the event as a Warning event. |
+| Information | An event that describes the successful operation of an application, driver, or service. For example, when a network driver loads successfully, it may be appropriate to log an Information event. Note that it is generally inappropriate for a desktop application to log an event each time it starts. |
+| Success Audit | An event that records an audited security access attempt that is successful. For example, a user's successful attempt to log on to the system is logged as a Success Audit event. |
+| Failure Audit | An event that records an audited security access attempt that fails. For example, if a user tries to access a network drive and fails, the attempt is logged as a Failure Audit event. |
+
+### Event ID's
+
+## Tools
+
+The following tools can be used to edit audit policies or view event logs:
+
+| Tool | Description |
+|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `AuditPol.exe` | A command line tool, native to Windows, to enable, disable, and change audit policy. |
+| `EventQuery.vbs` | A built-in tool used to query and view Windows event logs. EventQuery has multiple options to filter queries and enables an administrator to list the events and event properties from one or more event logs. |
+| `PSLogList.exe` | A tool that allows you to login to remote systems in situations your current set of security credentials |
+| `wevtutil.exe` | (Windows 7+) Windows Events Command Line Utility. Enables you to retrieve information about event logs and publishers, install and uninstall event manifests, run queries, and export, archive, and clear logs. |
+
+
+### `AuditPol.exe`
+
+AuditPol is a command line tool, native to Windows, to enable, disable, and
+change audit policy
+
+### Get an Audit Status Overview
+
+Just run AuditPol
+
+```bash
+C:\>AuditPol
+Running ...
+
+(0) Audit Disabled
+
+AuditCategorySystem = No
+AuditCategoryLogon = No
+AuditCategoryObjectAccess = No
+AuditCategoryPrivilegeUse = No
+AuditCategoryDetailedTracking = No
+AuditCategoryPolicyChange = No
+AuditCategoryAccountManagement = No
+Unknown = No
+Unknown
+```
+
+For a description of these catigories, go to the Win32 api, of course. [MSDN](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721903.aspx)
+
+
+### User Auditing Information
+
+```bash
+# Who is being audited?
+AuditPol /List /User
+# How?
+AuditPol /Get /User:UserName /Category:*
+# What's the user's SID?
+AuditPol /List /User /V
+```
+
+### Find the Category / Subcategory names
+
+To know what to get/set you're going to need to know the Category/Subcategory
+name. The following command clearly lists all of the available options.
+
+```bash
+# Get all top level categories
+AuditPol /List / Category
+# Need the GUID to search for the registry entry?
+AuditPol /List /Category /V
+
+# List all subcategories
+auditpol /list /subcategory:*
+# List a specific category
+auditpol /list /subcategory:"Privilege Use"
+```
+
+Use either of the TechNet links above to find more information about a
+Category/Subcategory.
+
+### Get
+
+This section just lists out some acceptable syntax. It was taken from the
+help output of the command.
+
+```bash
+auditpol /get /user:domain\user /Category:"Detailed Tracking","Object Access"
+auditpol /get /Subcategory:{0cce9212-69ae-11d9-bed3-505054503030} /r
+auditpol /get /option:CrashOnAuditFail
+auditpol /get /user:{S-1-5-21-397123417-1234567} /Category:"System"
+auditpol /get /sd
+```
+
+### Set
+
+This section just lists out some acceptable syntax. It was taken from the
+help output of the command.
+
+```bash
+auditpol /set /user:domain\user /Category:"System" /success:enable /include
+auditpol /set /subcategory:{0cce9212-69ae-11d9-bed3-505054503030} /failure:disable
+auditpol /set /option:CrashOnAuditFail /value:enable
+auditpol /set /sd:D:(A;;DCSWRPDTRC;;;BA)(A;;DCSWRPDTRC;;;SY)
+```
+
+### Examples
+
+```bash
+# Setting a bunch of policies
+auditpol /set /subcategory:"IPsec Driver" /success:disable /failure:disable
+auditpol /set /subcategory:"Account Lockout" /success:disable /failure:disable
+auditpol /set /subcategory:"Registry" /success:enable /failure:enable
+auditpol /set /subcategory:"Kernel Object" /success:enable
+auditpol /set /subcategory:"Process Termination" /success:enable /failure:enable
+auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
+auditpol /set /subcategory:"Directory Service Changes" /success:enable
+auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable
+
+```
+
+Categories can be comma separated:
+
+```bash
+auditpol /set /Category:"System,Privilege Use" /success:enable
+```
+
+## `PSLogList.exe`
+
+Get the last 10 lines of the system log:
+
+```bash
+psloglist -n 10 system
+psloglist -s -t "\t" -n 20 Security | findstr /n /i "<FILTER>"
+```
+
+## `wevtutil.exe` ([technet](https://technet.microsoft.com/en-us/library/cc732848.aspx))
+
+This command is only available on Windows 7+.
+
+
+`wevtutil COMMAND [ARGUMENT [ARGUMENT] ...] [/OPTION:VALUE [/OPTION:VALUE] ...]`
+
+Commands
+
+| Short Name | Long Name | Description |
+|------------|----------------------|----------------------------------------------------|
+| `el` | `enum-logs` | List log names. |
+| `gl` | `get-log` | Get log configuration information. |
+| `sl` | `set-log` | Modify configuration of a log. |
+| `ep` | `enum-publishers` | List event publishers. |
+| `gp` | `get-publisher` | Get publisher configuration information. |
+| `im` | `install-manifest` | Install event publishers and logs from manifest. |
+| `um` | `uninstall-manifest` | Uninstall event publishers and logs from manifest. |
+| `qe` | `query-events` | Query events from a log or log file. |
+| `gli` | `get-log-info` | Get log status information. |
+| `epl` | `export-log` | Export a log. |
+| `al` | `archive-log` | Archive an exported log. |
+| `cl` | `clear-log` | Clear a log. |
+
+Get help on a specific command:
+
+```bash
+wevtutil COMMAND /?
+# Example
+wevtutil gl /?
+# Or
+wevtutil get-log /?
+```
+
+Get the last 10 lines of the system log:
+
+```bash
+# Query Events in the System log, return 10, most recent first, in text format
+wevtutil qe System /c:10 /rd:true /f:text
+```
+
+Get a list of all the log files
+
+```bash
+webtutil el
+```
windows/index.md
@@ -0,0 +1,6 @@
++++
+date = "2016-12-01"
+draft = false
+title = "Windows"
+
++++
windows/win_env.md
@@ -1,3 +1,10 @@
++++
+date = "2016-12-01"
+draft = true
+title = ""
+
++++
+
# Environmental Variables
## Registry storage
windows/win_kernel.md
@@ -1,3 +1,11 @@
++++
+date = "2016-12-01"
+draft = true
+title = ""
+
++++
+
+
# Windows Kernel
Need URL or page number:
@@ -18,4 +26,4 @@ Kernel Reference https://msdn.microsoft.com/en-us/library/ee482973.aspx
Kernel Functions https://msdn.microsoft.com/en-us/library/ee482951.aspx
[MSDN: Types of Windows Drivers]: https://msdn.microsoft.com/en-us/library/windows/hardware/ff564864(v=vs.85).aspx
[Understanding User and Kernel Mode]: https://blog.codinghorror.com/understanding-user-and-kernel-mode/
-[MSDN: User and Kernel Mode]: https://msdn.microsoft.com/en-us/library/windows/hardware/ff554836(v=vs.85).aspx
\ No newline at end of file
+[MSDN: User and Kernel Mode]: https://msdn.microsoft.com/en-us/library/windows/hardware/ff554836(v=vs.85).aspx
windows/win_passive.md
@@ -1,3 +1,10 @@
++++
+date = "2016-12-01"
+draft = true
+title = ""
+
++++
+
## process list
| System PID | Win OS Version |
windows/win_registry.md
@@ -1,3 +1,10 @@
++++
+date = "2016-12-01"
+draft = true
+title = ""
+
++++
+
# Windows Registry
## Registry Structure
@@ -77,4 +84,4 @@ TODO move to tools pages:
[2]: Windows Internals Part 1, 6th Edition: pg 278
[3]: Windows Internals Part 1, 6th Edition: pg 280
[4]: Windows Internals Part 1, 6th Edition: pg 295
-[5]: https:/msdn.microsoft.com/en-us/library/windows/desktop/ms724881(v=vs.85).aspx
\ No newline at end of file
+[5]: https:/msdn.microsoft.com/en-us/library/windows/desktop/ms724881(v=vs.85).aspx
windows/win_sid.md
@@ -1,3 +1,10 @@
++++
+date = "2016-12-01"
+draft = true
+title = ""
+
++++
+
## SID Components
0. Prefix (S)