SS cheat sheet #

Cose utili da avere sotto mano.

Tools #

• Win Prefetch View
• System Informer
• Everything
• USB Deview
• JD gui
• Recent File View
• Eric Zimmerman tools

Cartelle #

• C:\$Recycle.bin
• shell:recent
• %temp%
• prefetch

Programmi dei mouse #

• %localappdata%\Logitech\Logitech Gaming Software\settings
• %localappdata%\LGHUB\settings
• %homepath%\Documents\M--- Gaming Mouse\MacroDB
• %appdata%\BY-COMBO2
• %appdata%\ROCCAT\SWARM\macro\custom_macro_list
• %localappdata%\steelseriesengine-3-client\Local Storage\LevelDB
• C:\ProgramData\Razer\synapse\Accounts
• %localappdata%\Razer\Synapse3\Log

System Informer #

explorer.exe #

• Parola (case insensitive) > pcaclient
• Parola (case insensitive) > file:///
• Regex (case insensitive) > ^[A-Z]:\\.+:

csrss.exe #

• Regex (case insensitive) > ^[A-Z]:\\.+.exe$
• Regex (case insensitive) > ^[A-Z]:\\.+.dll$
• Regex (case insensitive) > ^[A-Z]:\\((?!exe|dll).)*$

svchost.exe (-s dps) #

• Regex (case insensitive) > ^!!(?!svchost|dwm|csrss|explorer|taskhostw|ctfmon|rundll32|conhost|lsass|usoclient|sihost|dashost|nissrv|smss|sc|servicehost|settingsynchost|consent|dllhost|sppsvc|wermgr).+.exe
• Regex (case insensitive) > ^!![A-Z]+(.*)[A-Z]:
• Regex (case insensitive) > ^!![A-Z](.)((?!Exe|dll).)*$

fsutil #

fsutil usn readjournal c: csv | findstr /i /C:"0x80000200" /i /C:"0x00001000" /i /C:"0x00002000" | findstr /i /C:".exe" /i /C:".dll" /i /C:".pf" /i /C:".com" /i /C:".cmd" /i /C:".jar" /i /C:".pif" /i /C:".bat" /i /C:"?"

fsutil usn readjournal c: csv | findstr /i /C:"0x00000800" /i /C:"0x80000800" | findstr /i /C:"Prefetch"

fsutil usn readjournal c: csv | findstr /i /C:"0x--------" /i /C:"0x--------"

Powershell #

cat (get-PSReadlineoption).Historysavepath

Command prompt #

• sc query dps
• sc query sysmain
• dir /ar
• dir /ah

Regedit #

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\

HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory

Event viewer #

• Registri windows > Sicurezza > 4616
• Registri windows > Applicazione > 3079
• Registro windows > Sicurezza > 4798
• Registro windows > Sicurezza > 1102