Registry

The registry is a database with its own set of records, in the form of keys and values. When records are deleted they are 'marked' deleted; data is not immediately overwritten and normally available for some time (until the data is overwritten or compaction routines are run)

attackers have been known to hide payloads in difficult to find areas of the Registry. Filtering by Base64 and size using Registry Exploreris a good method for hunting persistence

Services:

SYSTEM\CurrentControlSet\Services\

MountPoints2:

Remotely mapped shares:

NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Software\SysInternals\PsExec\EulalAccepted

Parse:

RegRipper

gPowershell:

Get-ChildItem HKLM:System | Format-Wide
Get-ChildItem HKLM:Software | Format-Wide
Get-ChildItem HKLM:Hardware | Format-Wide

AppCompatProcessor

Registry Explorer

Eric zimmermans tool - good for showing information in an easy to read format and also can identify deleted records!

PreviousPowerShell / CMD NextAmCache

Last updated 11 months ago