Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #Prepare baseline
- pause
- Get-ItemProperty -Path "Registry::\HKLM\Software\Microsoft\Windows\CurrentVersion\Run" | out-file HKLM_Run1.txt
- Get-ItemProperty -Path "Registry::\HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" | Out-File HKLM_RunOnce1.txt
- Get-ItemProperty -path "Registry::\HKCU\Software\Microsoft\Windows\CurrentVersion\Run" | Out-File HKCU_Run1.txt
- Get-ItemProperty -path "Registry::\HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" | Out-File HKCU_RunOnce1.txt
- Get-ChildItem -Path "Registry::\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" -Recurse | Out-File HKLM_ProfileList1.txt
- Get-ItemProperty -Path "Registry::\HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks" | Out-File HKLM_Task1.txt
- Get-ItemProperty -Path "Registry::\HKLM\SYSTEM\CurrentControlSet\SERVICES" | Out-File HKLM_Services1.txt
- Get-ItemProperty -Path "Registry::\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" | Out-File HKLM_NetProfiles1.txt
- Get-ItemProperty -Path "Registry::\HKCU\Software\Microsoft\Internet Explorer\TypedURLs" | Out-File HKCU_IE1.txt
- pause
- #run after malware install
- pause
- #Prepare Second Look
- pause
- Get-ItemProperty -Path "Registry::\HKLM\Software\Microsoft\Windows\CurrentVersion\Run" | out-file HKLM_Run2.txt
- Get-ItemProperty -Path "Registry::\HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" | Out-File HKLM_RunOnce2.txt
- Get-ItemProperty -path "Registry::\HKCU\Software\Microsoft\Windows\CurrentVersion\Run" | Out-File HKCU_Run2.txt
- Get-ItemProperty -path "Registry::\HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" | Out-File HKCU_RunOnce2.txt
- Get-ChildItem -Path "Registry::\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" -Recurse | Out-File HKLM_ProfileList2.txt
- Get-ItemProperty -Path "Registry::\HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks" | Out-File HKLM_Task2.txt
- Get-ItemProperty -Path "Registry::\HKLM\SYSTEM\CurrentControlSet\SERVICES\" | Out-File HKLM_Services2.txt
- Get-ItemProperty -Path "Registry::\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" | Out-File HKLM_NetProfiles2.txt
- Get-ItemProperty -Path "Registry::\HKCU\Software\Microsoft\Internet Explorer\TypedURLs" | Out-File HKCU_IE2.txt
- pause
- #Compare Files
- pause
- #Compare HKLM_Run Files
- Compare-Object -ReferenceObject (Get-Content HKLM_Run1.txt) -DifferenceObject (Get-Content HKLM_Run2.txt)
- #Compare HKLM_RunOnce Files
- Compare-Object -ReferenceObject (Get-Content HKLM_RunOnce1.txt) -DifferenceObject (Get-Content HKLM_RunOnce2.txt)
- #Compare HKCU_Run Files
- Compare-Object -ReferenceObject (Get-Content HKCU_Run1.txt) -DifferenceObject (Get-Content HKCU_Run2.txt)
- #Compare HKCU_RunOnce Files
- Compare-Object -ReferenceObject (Get-Content HKCU_RunOnce1.txt) -DifferenceObject (Get-Content HKCU_RunOnce2.txt)
- #Compare HKLM_ProfileList Files
- Compare-Object -ReferenceObject (Get-Content HKLM_ProfileList Files1.txt) -DifferenceObject (Get-Content HKLM_ProfileList Files2.txt)
- #Compare HKLM_Task Files
- Compare-Object -ReferenceObject (Get-Content .\HKLM_Task1.txt) -DifferenceObject (Get-Content HKLM_Task2.txt)
- #Compare HKLM_Services
- Compare-Object -ReferenceObject (Get-Content HKLM_Services1.txt) -DifferenceObject (Get-Content HKLM_Services2.txt)
- #Compare HKLM_NetProfile Files
- Compare-Object -ReferenceObject (Get-Content HKLM_NetProfiles1.txt) -DifferenceObject (Get-Content HKLM_NetProfiles2.txt)
- #Compare HKCU_IE Files
- Compare-Object -ReferenceObject (Get-Content HKCU_IE1.txt) -DifferenceObject (Get-Content HKCU_IE2.txt)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
