whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Powershell and registry additions

This commit is contained in:
gurkenhabicht 2023-10-10 18:35:57 +02:00
parent 0cc87fa399
commit 781892ac64
2 changed files with 55 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Enumeration/Windows/Powershell.md
View File

@ -39,21 +39,34 @@ Get-ChildItem | Select-Object -Property Mode, Name
* skip - skips x objects * skip - skips x objects
## Filtering Objects ## Filtering Objects
``` ```
Verb-Noun | Where-Object -Property PropertyName -operator Value Verb-Noun | Where-Object -Property PropertyName -operator Value
Verb-Noun | Where-Object {$_.PropertyName -operator Value} Verb-Noun | Where-Object {$_.PropertyName -operator Value}
``` ```
The second version uses the $_ operator to iterate through every object passed to the Where-Object cmdlet. The second version uses the $_ operator to iterate through every object passed to the Where-Object cmdlet.
* Where -operator is a list of the following operators: * Where -operator is a list of the following operators:
* -Match: matches the exact value of the property
* -Contains: if any item in the property value is an exact match for the specified value * -Contains: if any item in the property value is an exact match for the specified value
* -EQ: if the property value is the same as the specified value * -EQ: if the property value is the same as the specified value
* -GT: if the property value is greater than the specified value * -GT: if the property value is greater than the specified value
### Out-Gridview
Pipe the output to a graphical window and Filter it through the GUI.
```
whatever | Out-GridView
```
## Sort Object ## Sort Object
``` ```
Verb-Noun | Sort-Object Verb-Noun | Sort-Object
``` ```
``` ```
Get-ChildItem | Sort-Object Get-ChildItem | Sort-Object
``` ```

42
Forensics/Windows Registration.md
View File

@ -66,12 +66,38 @@
* `SYSTEM\Select\LastKnownGood` * `SYSTEM\Select\LastKnownGood`
## Autostart Programs ## Autostart Programs
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run` * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run`
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce` * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce`
* `SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce` * `SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce`
* `SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run` * `SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run`
* `SOFTWARE\Microsoft\Windows\CurrentVersion\Run` * `SOFTWARE\Microsoft\Windows\CurrentVersion\Run`
Run program on login for the current user
```
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
```
Run program on login for any user
```
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
```
Run program on login once for the current user
```
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
```
Run program for on login once for any user
```
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
```
## Recent Files ## Recent Files
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`, e.g. xml, pdf, jpg * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`, e.g. xml, pdf, jpg
* Office files -> `NTUSER.DAT\Software\Microsoft\Office\VERSION`, `NTUSER.DAT\Software\Microsoft\Office\15.0\Word` * Office files -> `NTUSER.DAT\Software\Microsoft\Office\VERSION`, `NTUSER.DAT\Software\Microsoft\Office\15.0\Word`
@ -125,3 +151,19 @@
* [Eric Zimmermann's Registry Explorer](https://ericzimmerman.github.io/#!index.md) * [Eric Zimmermann's Registry Explorer](https://ericzimmerman.github.io/#!index.md)
* hivedump * hivedump
* hivex * hivex
* [AutoRuns](https://github.com/p0w3rsh3ll/AutoRuns) to check autorun paths for persistence
```sh
Get-Command -Module AutoRuns
CommandType Name Version Source
----------- ---- ------- ------
Function Compare-AutoRunsBaseLine 14.0 Aut...
Function Get-PSAutorun 14.0 Aut...
Function New-AutoRunsBaseLine 14.0 Aut...