# Tactical Artifacts by Category - [Combination Query](/blugenie/artifacts/tactical-artifacts-by-category/combination-query.md) - [Query Autorun locations for any item nested that is not digitally signed](/blugenie/artifacts/tactical-artifacts-by-category/combination-query/query-autorun-locations-for-any-item-nested-that-is-not-digitally-signed.md): AID2201221238.YAML - [EventLog Query](/blugenie/artifacts/tactical-artifacts-by-category/eventlog-query.md) - [Query for Process execution from unusual directories](/blugenie/artifacts/tactical-artifacts-by-category/eventlog-query/query-for-process-execution-from-unusual-directories.md): AID2201222048.yaml - [Query suspicious programs processed by the Task Scheduler using the Event Log](/blugenie/artifacts/tactical-artifacts-by-category/eventlog-query/query-suspicious-programs-processed-by-the-task-scheduler-using-the-event-log.md): AID2201251952.YAML - [Query for unusual instances of rundll32.exe via the Event Log](/blugenie/artifacts/tactical-artifacts-by-category/eventlog-query/query-for-unusual-instances-of-rundll32.exe-via-the-event-log.md) - [Query for Unusual Instances of rundll32.exe making outbound network connections using SysMon Data](/blugenie/artifacts/tactical-artifacts-by-category/eventlog-query/query-for-unusual-instances-of-rundll32.exe-making-outbound-network-connections-using-sysmon-data.md): AID2201251645.YAML - [Query Suspicious Powershell Command Line Executions](/blugenie/artifacts/tactical-artifacts-by-category/eventlog-query/query-suspicious-powershell-command-line-executions.md): AID2201251845.YAML - [Query the Windows System Log for 104, 517, 1102](/blugenie/artifacts/tactical-artifacts-by-category/eventlog-query/query-the-windows-system-log-for-104-517-1102.md): AID2201232238.YAML - [File and Folder Query](/blugenie/artifacts/tactical-artifacts-by-category/file-and-folder-query.md) - [Query for malicious file types in all users and system temp directories](/blugenie/artifacts/tactical-artifacts-by-category/file-and-folder-query/query-for-malicious-file-types-in-all-users-and-system-temp-directories.md): AID2201202326.YAML - [Query Malicious file types from any directory not including the default OS and Install directories](/blugenie/artifacts/tactical-artifacts-by-category/file-and-folder-query/query-malicious-file-types-from-any-directory-not-including-the-default-os-and-install-directories.md): AID2201220858.YAML - [Query all users for their Powershell Profile content for Powershell, Powershell\_ISE, and VS Code](/blugenie/artifacts/tactical-artifacts-by-category/file-and-folder-query/query-all-users-for-their-powershell-profile-content-for-powershell-powershell_ise-and-vs-code.md): AID2201232312.YAML - [Query to Determine if any lolbin files are installed outside the normal OS and Program Files dir's](/blugenie/artifacts/tactical-artifacts-by-category/file-and-folder-query/query-to-determine-if-any-lolbin-files-are-installed-outside-the-normal-os-and-program-files-dirs.md): AID2201232312.YAML - [Network Query](/blugenie/artifacts/tactical-artifacts-by-category/network-query.md) - [Query for Unusual Windows Network Activity](/blugenie/artifacts/tactical-artifacts-by-category/network-query/query-for-unusual-windows-network-activity.md): AID2201222121.YAML - [Process Query](/blugenie/artifacts/tactical-artifacts-by-category/process-query.md) - [Query for all Processes not running from the Windows and Program Files.\* Directories](/blugenie/artifacts/tactical-artifacts-by-category/process-query/query-for-all-processes-not-running-from-the-windows-and-program-files.-directories.md) - [Registry Query](/blugenie/artifacts/tactical-artifacts-by-category/registry-query.md) - [Query Information from the Registry on Recentdocs, Recentapps](/blugenie/artifacts/tactical-artifacts-by-category/registry-query/query-information-from-the-registry-on-recentdocs-recentapps.md): AID2112301441.YAML - [Query Registry for a list of mounted USB storage devices, including external memory cards](/blugenie/artifacts/tactical-artifacts-by-category/registry-query/query-registry-for-a-list-of-mounted-usb-storage-devices-including-external-memory-cards.md): AID2112302000.YAML - [Query the Most Recently Used items from the Registry](/blugenie/artifacts/tactical-artifacts-by-category/registry-query/query-the-most-recently-used-items-from-the-registry.md): AID2112302008.YAML - [Query the Most Recently Open and Saved File information from the Registry](/blugenie/artifacts/tactical-artifacts-by-category/registry-query/query-the-most-recently-open-and-saved-file-information-from-the-registry.md): AID2112302009.YAML - [Query all Run, RunOnce, and RunOnceEx Registry Keys](/blugenie/artifacts/tactical-artifacts-by-category/registry-query/query-all-run-runonce-and-runonceex-registry-keys.md): AID2112302012.YAML - [Query Command list from the MRU Registry List](/blugenie/artifacts/tactical-artifacts-by-category/registry-query/query-command-list-from-the-mru-registry-list.md): AID2112302013.YAML - [Query Startup Services from the Registry](/blugenie/artifacts/tactical-artifacts-by-category/registry-query/query-startup-services-from-the-registry.md): AID2112302014.YAML - [Query Map Network Drives from the Registry](/blugenie/artifacts/tactical-artifacts-by-category/registry-query/query-map-network-drives-from-the-registry.md): AID2112302017.YAML - [Query Shell Folders and User Shell Folders from both the HKLM and HKU Registry Information](/blugenie/artifacts/tactical-artifacts-by-category/registry-query/query-shell-folders-and-user-shell-folders-from-both-the-hklm-and-hku-registry-information.md) - [Query Typed Urls from the Registry](/blugenie/artifacts/tactical-artifacts-by-category/registry-query/query-typed-urls-from-the-registry.md): AID2112302023.YAML - [Query Current Control Set Services information from the Registry](/blugenie/artifacts/tactical-artifacts-by-category/registry-query/query-current-control-set-services-information-from-the-registry.md): AID2112302027.YAML - [Query Accessibility Features from Image File Execution Options from the Registry](/blugenie/artifacts/tactical-artifacts-by-category/registry-query/query-accessibility-features-from-image-file-execution-options-from-the-registry.md): AID2112302043.YAML - [Query the Registry for Commands that are automatically executed each time cmd.exe is run](/blugenie/artifacts/tactical-artifacts-by-category/registry-query/query-the-registry-for-commands-that-are-automatically-executed-each-time-cmd.exe-is-run.md): AID2112302048.YAML - [Query the Registry for Mounted Device information](/blugenie/artifacts/tactical-artifacts-by-category/registry-query/query-the-registry-for-mounted-device-information.md): AID2112302049.YAML - [Query the Registry for Browser Helper Objects (BHO)](/blugenie/artifacts/tactical-artifacts-by-category/registry-query/query-the-registry-for-browser-helper-objects-bho.md): AID2112302103.YAML - [Query the Registry for Explore Run commands](/blugenie/artifacts/tactical-artifacts-by-category/registry-query/query-the-registry-for-explore-run-commands.md): AID2112302128.YAML - [Query the Registry for Winlogon Helper Dll's](/blugenie/artifacts/tactical-artifacts-by-category/registry-query/query-the-registry-for-winlogon-helper-dlls.md): AID2112302152.YAML - [Query the Registry for Active Setup information](/blugenie/artifacts/tactical-artifacts-by-category/registry-query/query-the-registry-for-active-setup-information.md): AID2201032000.YAML - [Query the Registry for Bypassing UAC Mechanisms from the User-Accessible information](/blugenie/artifacts/tactical-artifacts-by-category/registry-query/query-the-registry-for-bypassing-uac-mechanisms-from-the-user-accessible-information.md): AID2201032010.YAML - [Query the Registry for User-Logon, and Startup Scripts](/blugenie/artifacts/tactical-artifacts-by-category/registry-query/query-the-registry-for-user-logon-and-startup-scripts.md): AID2201032020.YAML - [Query the Registry for the most common MRU information for All User Hives, including offline users](/blugenie/artifacts/tactical-artifacts-by-category/registry-query/query-the-registry-for-the-most-common-mru-information-for-all-user-hives-including-offline-users.md): AID2201202337.YAML - [Query the Registry for any user, using the SysInternals Tools](/blugenie/artifacts/tactical-artifacts-by-category/registry-query/query-the-registry-for-any-user-using-the-sysinternals-tools.md)