- Original path:
profiles/modules/windows/execution.toml
# Windows Evidence of Execution Module
# Collects Windows execution artifacts (Prefetch, AppCompat, BAM/DAM, etc.)
[module]
name = "Windows Evidence of Execution"
description = "Prefetch, ShimCache, AppCompatCache, BAM/DAM, UserAssist"
category = "windows"
platform = ["windows"]
priority = "high"
# Prefetch Files
[[patterns]]
name = "Prefetch File"
pattern = "\\.pf$"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Prefetch Directory"
pattern = "Prefetch"
case-insensitive = true
type = "regex"
# ShimCache/AppCompatCache
[[patterns]]
name = "ShimCache"
pattern = "AppCompatCache"
case-insensitive = true
type = "regex"
# Background Activity Moderator (BAM) / Desktop Activity Moderator (DAM)
[[patterns]]
name = "BAM DAM"
pattern = "(?:BAM|DAM)"
case-insensitive = true
type = "regex"
# UserAssist
[[patterns]]
name = "UserAssist"
pattern = "UserAssist"
case-insensitive = true
type = "regex"
# MUI Cache
[[patterns]]
name = "MUICache"
pattern = "MUICache"
case-insensitive = true
type = "regex"
# RecentApps
[[patterns]]
name = "RecentApps"
pattern = "RecentApps"
case-insensitive = true
type = "regex"
# FeatureUsage
[[patterns]]
name = "FeatureUsage"
pattern = "FeatureUsage"
case-insensitive = true
type = "regex"
# SRUM (System Resource Usage Monitor)
[[patterns]]
name = "SRUM Database"
pattern = "SRUDB\\.dat"
case-insensitive = true
type = "regex"
# Windows Timeline
[[patterns]]
name = "Windows Timeline"
pattern = "ActivitiesCache\\.db"
case-insensitive = true
type = "regex"
# JumpLists
[[patterns]]
name = "Automatic JumpLists"
pattern = "AutomaticDestinations"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Custom JumpLists"
pattern = "CustomDestinations"
case-insensitive = true
type = "regex"
# Shortcut Files (LNK)
[[patterns]]
name = "LNK File"
pattern = "\\.lnk$"
case-insensitive = true
type = "regex"