Plugin Reference

• 7zip
• _dpapi_keyprovider
• _dpapi_keyprovider.keys
• _dpapi_keyprovider_credhist
• _dpapi_keyprovider_credhist.keys
• _dpapi_keyprovider_empty
• _dpapi_keyprovider_empty.keys
• _dpapi_keyprovider_keychain
• _dpapi_keyprovider_keychain.keys
• _dpapi_keyprovider_lsa_defaultpassword
• _dpapi_keyprovider_lsa_defaultpassword.keys
• account_policy
• acquire_handles
• acquire_hashes
• activitiescache
• activity
• adpolicy
• alternateshell
• amcache
• amcache.applaunches
• amcache.application_files
• amcache.applications
• amcache.device_containers
• amcache.drivers
• amcache.files
• amcache.programs
• amcache.shortcuts
• amcache_install
• anydesk
• anydesk.logs
• apache
• apache.access
• apache.error
• apache.logs
• appinit
• applications
• appxdebugkeys
• apt
• apt.logs
• atop
• audit
• auditpol
• authlog
• bam
• bashhistory
• bootshell
• brave
• brave.cookies
• brave.downloads
• brave.extensions
• brave.history
• brave.passwords
• browser
• browser.cookies
• browser.downloads
• browser.extensions
• browser.history
• browser.passwords
• btmp
• caddy
• caddy.access
• caddy.logs
• cam
• capability_binaries
• chrome
• chrome.cookies
• chrome.downloads
• chrome.extensions
• chrome.history
• chrome.passwords
• chromium
• chromium.cookies
• chromium.downloads
• chromium.extensions
• chromium.history
• chromium.passwords
• cim
• cim.consumerbindings
• cit
• cit.cit
• cit.dp
• cit.modules
• cit.puu
• cit.telemetry
• citrix
• citrix.access
• citrix.error
• citrix.logs
• clfs
• clsid
• clsid.machine
• clsid.user
• cmdline
• codepage
• commandhistory
• commandprocautorun
• config_tree
• cpanel
• cpanel.lastlogin
• credhist
• cronjobs
• datetime
• defender
• defender.evtx
• defender.exclusions
• defender.mplog
• defender.quarantine
• defender.recover
• docker
• docker.containers
• docker.images
• docker.logs
• domain
• dpapi
• dpkg
• dpkg.log
• dpkg.status
• edge
• edge.cookies
• edge.downloads
• edge.extensions
• edge.history
• edge.passwords
• editor
• editor.extensions
• editor.history
• editor.tabs
• envfile
• environ
• environment_variables
• etc
• etc.etc
• etl
• etl.boot
• etl.etl
• etl.shutdown
• evt
• evtx
• example
• example_none
• example_record
• example_user_registry_record
• example_yield
• exchange
• exchange.transport_agents
• filerenameop
• firefox
• firefox.cookies
• firefox.downloads
• firefox.extensions
• firefox.history
• firefox.passwords
• firewall
• gnulocate
• gnulocate.locate
• icat
• iexplore
• iexplore.downloads
• iexplore.history
• iis
• iis.access
• iis.logs
• install_date
• iptables
• jumplist
• jumplist.automatic_destination
• jumplist.custom_destination
• keyboard
• knowndlls
• language
• lastlog
• lnk
• loaders
• locate
• locate.locate
• lsa
• lsa.secrets
• lsmod
• mcafee
• mcafee.msc
• messages
• mft
• mft_timeline
• mlocate
• mlocate.locate
• mru
• mru.acmru
• mru.lastvisited
• mru.msoffice
• mru.mstsc
• mru.networkdrive
• mru.opensave
• mru.recentdocs
• mru.run
• msoffice
• msoffice.native
• msoffice.startup
• msoffice.web
• mssql
• mssql.errorlog
• muicache
• ndis
• netstat
• network
• network.dns
• network.gateways
• network.interfaces
• network.ips
• network.macs
• network_history
• nginx
• nginx.access
• nginx.logs
• notifications
• notifications.appdb
• notifications.wpndatabase
• ntversion
• nullsessionpipes
• openssh
• openssh.authorized_keys
• openssh.known_hosts
• openssh.private_keys
• openssh.public_keys
• opensshd
• opensshd.config
• openvpn
• openvpn.config
• osinfo
• packagemanager
• packagemanager.logs
• passwords
• path_extensions
• pathenvironment
• pfro
• plocate
• plocate.locate
• plugins
• powershell_history
• prefetch
• proc
• processes
• putty
• putty.known_hosts
• putty.sessions
• qfind
• recentfilecache
• recyclebin
• regf
• registry
• remoteaccess
• remoteaccess.logs
• runkeys
• sam
• schedlgu
• scrape
• scraped_evt
• scraped_evtx
• securelog
• services
• sessionmanager
• sevenzip
• shellbags
• shimcache
• sid
• snap
• snaps
• sockets
• sockets.packet
• sockets.raw
• sockets.tcp
• sockets.udp
• sockets.unix
• sophos
• sophos.hitmanlogs
• sophos.sophoshomelogs
• sru
• sru.application
• sru.application_timeline
• sru.energy_estimator
• sru.energy_usage
• sru.energy_usage_lt
• sru.network_connectivity
• sru.network_data
• sru.push_notification
• sru.sdp_cpu_provider
• sru.sdp_network_provider
• sru.sdp_physical_disk_provider
• sru.sdp_volume_provider
• sru.vfu
• ssh
• ssh.authorized_keys
• ssh.config
• ssh.known_hosts
• ssh.private_keys
• ssh.public_keys
• ssh.sessions
• startupinfo
• suid_binaries
• symantec
• symantec.firewall
• symantec.logs
• syscache
• syslog
• sysmodules
• tasks
• teamviewer
• teamviewer.logs
• thumbcache
• thumbcache.iconcache
• thumbcache.thumbcache
• timezone
• trash
• trendmicro
• trendmicro.wffirewall
• trendmicro.wflogs
• trusteddocs
• ual
• ual.client_access
• ual.domains_seen
• ual.role_access
• ual.system_identities
• ual.virtual_machines
• usb
• user_details
• userassist
• usnjrnl
• utmp
• vmlist
• vmware
• vmware.clipboard
• vmware.draganddrop
• walkfs
• webserver
• webserver.access
• webserver.error
• webserver.logs
• wer
• wget
• wget.hsts
• windowsnotepad
• windowsnotepad.extensions
• windowsnotepad.history
• windowsnotepad.tabs
• winrar
• winsocknamespaceprovider
• wireguard
• wireguard.config
• wtmp
• wua_history
• yara
• yum
• yum.logs
• zypper
• zypper.logs