Copyright © 2020 by Tim Bryant All rights reserved. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the publisher. Accessing an information system without the express permission of the owner is illegal and this book does not encourage or promote unethical behavior. Product names, logos, brands and other trademarks featured or referred to within PTFM are the property of their respective trademark holders. The author does not intend to infringe on any trademark. These trademark holders are not affiliated with PTFM. They do not sponsor or endorse our products, materials or company in any way. PTFM attempts to ensure that the information in this publication is complete and accurate; however, this information may contain typographical errors or other errors or inaccuracies. We assume no responsibility for such errors and omissions. PTFM assumes no responsibility for any damages resulting from the use of information in this publication. If you have any suggestions or corrections please submit them at https://purpleteamfieldmanual.com/contact Table of Contents WINDOWS General Information Initial access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration *NIX General Information Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Network General Information Attack Detection OSINT OSINT Container Breakout Kubernetes Docker Malware Analysis Static Analysis Dynamic Analysis Wireless Attack Frameworks Web User Agents Database MySQL PostgreSQL MS SQL Scripting Powershell Python Bash ASCII Table WINDOWS GENERAL INFORMATION Windows NT versions NT Version Windows OS NT 3.1 Windows NT 3.1 NT 3.5 Windows NT 3.5 NT 3.51 Windows NT 3.51 NT 4.0 Windows NT 4.0 NT 4.1 Windows 98 NT 4.9 Windows Me NT 5.0 Windows 2000 NT 5.1 Windows XP Windows XP (x64) NT 5.2 Windows Server 2003 & R2 Windows Home Server Windows Vista NT 6.0 Windows Server 2008 Windows 7 NT 6.1 Windows Server 2008 R2 Windows Home Server 2011 Windows 8 NT 6.2 Windows Phone 8 Windows Server 2012 NT 6.3 Windows 8.1 Windows Server 2012 R2 Windows Phone 8.1 Windows 10 NT 10 Windows Server 2016 Windows Server 2019 Windows 10 NT 10 Windows Server 2016 Windows Server 2019 Commonly Used Windows Registry Locations Name Registry Location OS Informatio HKLM\Software\Microsoft\Windows NT\CurrentVersion n Product HKLM\Software\Microsoft\Windows NT\CurrentVersion /v ProductName Name Date of HKLM\Software\Microsoft\Windows NT\CurrentVersion /v InstallDate Install Registered HKLM\Software\Microsoft\Windows NT\CurrentVersion /v RegisteredOwner Owner System HKLM\Software\Microsoft\Windows NT\CurrentVersion /v SystemRoot Root Time Zone HKLM\System\CurrentControllerSet\Control\TimeZoneInformation /v ActiveTimeBias Mapped HKLM\Software\Microsoft\Windows NT\CurrentVersion\Explorer\Map Network Drive Network MRU Drives Mounted HKLM\System\MountedDevices Devices USB HKLM\System\CurrentControllerSet\Enum\USBStor Devices Audit HKLM\Security\Policy\PolAdTev Policies Installed Software HKLM\Software (Machine) Installed Software HKCU\Software (User) Recent Document HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs s Recent User HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVistitedMRU Locations Typed HKCU\Software\Microsoft\Internet Explorer\TypedURLs URLs MRU List HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU Last Registry HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\RegEdit /v LastKey Key Accessed Windows Directories Directory Description C:\Windows\System32\drivers\etc\hosts DNS file Network C:\Windows\System32\drivers\etc\networks Config file Usernames C:\Windows\System32\config\SAM and Password C:\Windows\System32\config\SECURITY Security Log C:\Windows\System32\config\SOFTWARE Software Log C:\Windows\System32\config\SYSTEM System Log Windows C:\Windows\System32\winevt\ Event Logs Backup of C:\Windows\repair\SAM User and Password Windows XP C:\Documents and Settings\All Users\Start All User Menu\Programs\Startup\ Startup C:\Documents and Settings\User\Start Windows XP Menu\Programs\Startup User Startup C:\ProgramData\Microsoft\Windows\Start Windows All Menu\Programs\StartUp User Startup C:\Users\*\AppData\Roaming\Microsoft\ Windows User Windows\Start Menu\Programs\Startup Startup C:\Windows\Prefetch Prefetch files C:\Windows\AppCompat\Programs\Amcache.h Amcache.hve ve C:\Windows\Users\*\NTUSER.dat NTUSER.dat