mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-18 21:49:40 +03:00
Initial commit - 611 cybersecurity skills across all subdomains
This commit is contained in:
@@ -0,0 +1,14 @@
|
||||
# Standards - Shellbag Forensics
|
||||
## Standards
|
||||
- NIST SP 800-86: Guide to Integrating Forensic Techniques
|
||||
- SWGDE Best Practices for Computer Forensics
|
||||
## Tools
|
||||
- SBECmd (Eric Zimmerman): Command-line shellbag parser
|
||||
- ShellBags Explorer (Eric Zimmerman): GUI shellbag viewer
|
||||
- Registry Explorer (Eric Zimmerman): Registry hive analysis
|
||||
## Registry Locations
|
||||
- NTUSER.DAT: Software\Microsoft\Windows\Shell\BagMRU and Bags
|
||||
- UsrClass.dat: Local Settings\Software\Microsoft\Windows\Shell\BagMRU and Bags
|
||||
## MITRE ATT&CK
|
||||
- T1083 - File and Directory Discovery
|
||||
- T1005 - Data from Local System
|
||||
@@ -0,0 +1,15 @@
|
||||
# Workflows - Shellbag Analysis
|
||||
## Workflow 1: Folder Access Investigation
|
||||
```
|
||||
Extract NTUSER.DAT and UsrClass.dat from evidence
|
||||
|
|
||||
Parse with SBECmd to CSV
|
||||
|
|
||||
Open in Timeline Explorer
|
||||
|
|
||||
Filter by path patterns (USB drives, network shares)
|
||||
|
|
||||
Correlate with MFT and LNK file timestamps
|
||||
|
|
||||
Document folder access timeline
|
||||
```
|
||||
Reference in New Issue
Block a user