fyx(me)

Forensics

Event logs

# list event logs
Get-EventLog -List

# search eventlogs
Get-EventLog -LogName "NAME" | where {$_.Message -like '*CUSTOM*'} | select Message | format-table -wrap

# same same but different
Get-EventLog -LogName "NAME" | where {$_.Message -like '*CUSTOM*'} | select Message | fl

Network Packet Capture

Note

Windows now ships with pktmon which contains a lot of the below funtionality builtin. Worth a look.
Ref: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/pktmon

The Windows netsh built-in utility can be used to the traffic of the local system. The network capture will be exported in the ETL format:

# Captures the local network traffic, optionally to the specified IP.
netsh trace start capture=yes [tracefile=<OUTPUT_ETL>] [IPv4.Address=<IP>]
# netsh trace start capture=yes report=disabled

# Stops the network capture.
netsh trace stop

Convert to pcap using etl2pcapng

Windows: https://github.com/microsoft/etl2pcapng
Linux: https://github.com/aaptel/etl2pcap.git

Merge multiple pcaps together

# linux
mergecap -w <new pcap> <pcap 1> <pcap 2> [...]

Defence Evasion Outlook Exchange Server