More MFT Rules - Fix NTDS.DIT matching ADAMNTDS.DIT and Add Shadow Dumper and PSTools

WithSecureLabs / chainsaw

Rapidly Search and Hunt through Windows Forensic Artefacts

GNU General Public License v3.0

2.89k stars 266 forks source link

More MFT Rules - Fix NTDS.DIT matching ADAMNTDS.DIT and Add Shadow Dumper and PSTools #196

Closed reece394 closed 1 day ago

reece394 commented 1 week ago

Some more MFT rules. I attempted to further reduce the false positive entries for NTDS.DIT. ADAMNTDS.DIT can be abused too so created a separate rule for that based on here. Also added Shadow Dumper support from here. Also added the rest of the PSTools folder as this frequently pops up

FranticTyping commented 1 day ago

Great additions again, thanks!