diff --git a/Enumeration/Windows/Powershell.md b/Enumeration/Windows/Powershell.md index ec4fea7..cf3af1b 100644 --- a/Enumeration/Windows/Powershell.md +++ b/Enumeration/Windows/Powershell.md @@ -39,21 +39,34 @@ Get-ChildItem | Select-Object -Property Mode, Name * skip - skips x objects ## Filtering Objects + ``` Verb-Noun | Where-Object -Property PropertyName -operator Value Verb-Noun | Where-Object {$_.PropertyName -operator Value} ``` + The second version uses the $_ operator to iterate through every object passed to the Where-Object cmdlet. * Where -operator is a list of the following operators: +* -Match: matches the exact value of the property * -Contains: if any item in the property value is an exact match for the specified value * -EQ: if the property value is the same as the specified value * -GT: if the property value is greater than the specified value +### Out-Gridview + +Pipe the output to a graphical window and Filter it through the GUI. + +``` +whatever | Out-GridView +``` + ## Sort Object + ``` Verb-Noun | Sort-Object ``` + ``` Get-ChildItem | Sort-Object ``` diff --git a/Forensics/Windows Registration.md b/Forensics/Windows Registration.md index 4cae42f..f2fdae3 100644 --- a/Forensics/Windows Registration.md +++ b/Forensics/Windows Registration.md @@ -66,12 +66,38 @@ * `SYSTEM\Select\LastKnownGood` ## Autostart Programs + * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run` * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce` * `SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce` * `SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run` * `SOFTWARE\Microsoft\Windows\CurrentVersion\Run` +Run program on login for the current user + +``` +HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run +``` + +Run program on login for any user + +``` +HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run +``` + +Run program on login once for the current user + +``` +HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce +``` + +Run program for on login once for any user + +``` +HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce +``` + + ## Recent Files * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`, e.g. xml, pdf, jpg * Office files -> `NTUSER.DAT\Software\Microsoft\Office\VERSION`, `NTUSER.DAT\Software\Microsoft\Office\15.0\Word` @@ -125,3 +151,19 @@ * [Eric Zimmermann's Registry Explorer](https://ericzimmerman.github.io/#!index.md) * hivedump * hivex +* [AutoRuns](https://github.com/p0w3rsh3ll/AutoRuns) to check autorun paths for persistence + +```sh +Get-Command -Module AutoRuns + + + +CommandType Name Version Source + +----------- ---- ------- ------ + +Function Compare-AutoRunsBaseLine 14.0 Aut... + +Function Get-PSAutorun 14.0 Aut... + +Function New-AutoRunsBaseLine 14.0 Aut...