Application eventlog Security eventlog System eventlog Windows PowerShell eventlog ./shared/win_audit_rcl.txt ./shared/win_applications_rcl.txt ./shared/win_malware_rcl.txt 72000 yes %WINDIR%/win.ini %WINDIR%/system.ini C:\autoexec.bat C:\config.sys C:\boot.ini %WINDIR%/SysNative/at.exe %WINDIR%/SysNative/attrib.exe %WINDIR%/SysNative/cacls.exe %WINDIR%/SysNative/cmd.exe %WINDIR%/SysNative/drivers/etc %WINDIR%/SysNative/eventcreate.exe %WINDIR%/SysNative/ftp.exe %WINDIR%/SysNative/lsass.exe %WINDIR%/SysNative/net.exe %WINDIR%/SysNative/net1.exe %WINDIR%/SysNative/netsh.exe %WINDIR%/SysNative/reg.exe %WINDIR%/SysNative/regedt32.exe %WINDIR%/SysNative/regsvr32.exe %WINDIR%/SysNative/runas.exe %WINDIR%/SysNative/sc.exe %WINDIR%/SysNative/schtasks.exe %WINDIR%/SysNative/sethc.exe %WINDIR%/SysNative/subst.exe %WINDIR%/SysNative/wbem/WMIC.exe %WINDIR%/SysNative/WindowsPowerShell\v1.0\powershell.exe %WINDIR%/SysNative/winrm.vbs %WINDIR%/System32/CONFIG.NT %WINDIR%/System32/AUTOEXEC.NT %WINDIR%/System32/at.exe %WINDIR%/System32/attrib.exe %WINDIR%/System32/cacls.exe %WINDIR%/System32/debug.exe %WINDIR%/System32/drwatson.exe %WINDIR%/System32/drwtsn32.exe %WINDIR%/System32/edlin.exe %WINDIR%/System32/eventcreate.exe %WINDIR%/System32/eventtriggers.exe %WINDIR%/System32/ftp.exe %WINDIR%/System32/net.exe %WINDIR%/System32/net1.exe %WINDIR%/System32/netsh.exe %WINDIR%/System32/rcp.exe %WINDIR%/System32/reg.exe %WINDIR%/regedit.exe %WINDIR%/System32/regedt32.exe %WINDIR%/System32/regsvr32.exe %WINDIR%/System32/rexec.exe %WINDIR%/System32/rsh.exe %WINDIR%/System32/runas.exe %WINDIR%/System32/sc.exe %WINDIR%/System32/subst.exe %WINDIR%/System32/telnet.exe %WINDIR%/System32/tftp.exe %WINDIR%/System32/tlntsvr.exe %WINDIR%/System32/drivers/etc %WINDIR%/System32/wbem/WMIC.exe %WINDIR%/System32/WindowsPowerShell\v1.0\powershell.exe %WINDIR%/System32/winrm.vbs %PROGRAMDATA%/Microsoft/Windows/Start Menu/Programs/Startup .log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$ HKEY_LOCAL_MACHINE\Software\Classes\batfile HKEY_LOCAL_MACHINE\Software\Classes\cmdfile HKEY_LOCAL_MACHINE\Software\Classes\comfile HKEY_LOCAL_MACHINE\Software\Classes\exefile HKEY_LOCAL_MACHINE\Software\Classes\piffile HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects HKEY_LOCAL_MACHINE\Software\Classes\Directory HKEY_LOCAL_MACHINE\Software\Classes\Folder HKEY_LOCAL_MACHINE\Software\Classes\Protocols HKEY_LOCAL_MACHINE\Software\Policies HKEY_LOCAL_MACHINE\Security HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components HKEY_LOCAL_MACHINE\Security\Policy\Secrets HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users \Enum$ yes