diff --git a/csv/scan-module-explanation.csv b/csv/scan-module-explanation.csv index 0bb104f..c982c0e 100644 --- a/csv/scan-module-explanation.csv +++ b/csv/scan-module-explanation.csv @@ -2,7 +2,7 @@ Module;Explanation Filescan;Events reported by the **FileScan** module typically originate from the file system scan. But due to the "Message Enrichment" feature, other modules that include events with full "file path" strings may also produce events of this type (e.g. module ``SHIMCache``, ``Eventlog``). SHIMcache;The **SHIM Cache** or AppCompatCache (Application Compatibility Cache) is a special Registry cache containing valuable information, because the cache tracks metadata for binary files that were executed. Autoruns;The **Autoruns** module enumerates common locations for programs running automatically at system startup, analyzes them and logs them. -LogScan;The **LogScan** module processes ``*.log`` files found on disk line by line (It performs some checks to avoid scanning files that are not ASCII log files, but something else that uses the ``*.log`` extension). Each log line is checked with all file name and keyword IOCs and scanned with the "keyword" and "log" type YARA rules. +Eventlog;The **Eventlog** module searches for Windows Eventlogs in their default location and scans them. Those default location is the ``$%SystemRoot%\System32\winevt\Logs`` directory. GroupsXML;The **GroupsXML** module is a module that reports on critical security issues related to decryptable passwords in group policy files, that are readable for anyone within a Windows Domain. Registry;**Registry** matches can be caused by different signature types: File name IOCs, keywords or YARA signatures matches. WMIPersistence;It is difficult to detect malicious **WMIPersistence** objects. The detection methods are based on whitelists and a blacklist with keywords from APT reports. The whitelists are extended every time our analysts detect false positives in a customer's environment. The black lists are extended every time an APT report states a certain WMI persistence method with specific event filer or event file name.