Operator On The Wire
Join
← Back to Knowledge Base
BLUE TEAM / DFI / ARTEFACT / WINDOWS / REGISTRY

ShellBags

SBECmd.exe -d ShellBags --csv out.csv

Hunt

  • External media browsing
  • Suspicious folder navigation

Red Flags

  • Access to removable drive shortly before execution

Correlate

  • MFT
  • LNK
  • Jump Lists