Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #Baseline Registry
- Get-ItemProperty -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Out-File -filepath C:\Users\Default\Desktop\baseline.txt
- Get-ItemProperty -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | Out-File -append -filepath C:\Users\Default\Desktop\baseline.txt -noclobber
- # This does not have a path. It was verified on regedit
- Get-ItemProperty -path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\run" | Out-File -append -filepath C:\Users\Default\Desktop\baseline.txt -noclobber
- # This does not have a path. It was verifed on regedit
- Get-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\run' | Out-File -append -filepath C:\Users\Default\Desktop\baseline.txt -noclobber
- Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\services\ | Out-File -append -filepath C:\Users\Default\Desktop\baseline.txt -noclobber
- # Changed path from 'USBSTOR' to 'USB' since 'USBSTOR' does not exist.
- Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Enum\USB | Out-File -append -filepath C:\Users\Default\Desktop\baseline.txt -noclobber
- Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Internet Explorer\TypedURLs' | Out-File -append -filepath C:\Users\Default\Desktop\baseline.txt -noclobber
- #This file DOES exit in registry, but output can't be found.
- Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles' | out-file -append -filepath C:\Users\Default\Desktop\baseline.txt -noclobber
- #This shows content of consolidated output into the .txt file
- get-content C:\Users\Default\Desktop\baseline.txt
- #Verify baseline output
- #Import this file to the VM
- #Run malware and collect registry output, out-file to another .txt file
- #Do a Compare-object between the two text files. Need to parse out what's differnt
- #Run unmalware. Rinse and repeat.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement