ScreenSharing Guide - Remorsefull
ScreenSharing Guide - Remorsefull
Anydesk
Process Hacker
dll detector
SS Tool
Activity Viewer
Search Everything
Browsing history viewer
USB Deview
Other ss guide
Luyten
USB Detector
Other USB Detector
1. C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Recent
2.C:\Users\%username%\AppData\Local\CrashDumps
6.C:\$Recycle.Bin
Process Hacker
8.csrss - :\
9.Cdpu - ,"platform":"x_exe_path"},
Private methods :
powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass &&
powershell Invoke-Expression (Invoke-RestMethod
https://raw.githubusercontent.com/PureIntent/ScreenShare/main/RedLotusBam.ps1)
(You need to run cmd in admin mode)
Useful
● Win+r
C:$Recycle.Bin shell:recent prefetch %temp% %appdata%
%LOCALAPPDATA%\CrashDumps firewall.cpl
● Regedit
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\
UserSettings HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store
Programs
● System informer https://systeminformer.sourceforge.io/canary
● WinPrefetchview: https://www.nirsoft.net/utils/win_prefetch_view.html
● Search Everything: https://www.voidtools.com/downloads/
● Last Activity View: https://www.nirsoft.net/utils/lastactivityview.zip
● USB Deview: https://www.nirsoft.net/utils/usbdeview.zip
● Recaf https://github.com/Col-E/Recaf
● Journal trace: https://github.com/spokwn/JournalTrace/releases/tag/1.2
● Downloads:
https://www.nirsoft.net/utils/web_browser_downloads_view.html
● Folder modified https://www.nirsoft.net/utils/shellbagsview.zip
● Echo usb https://dl.echo.ac/tool/usb
● Echo Journal https://dl.echo.ac/tool/journal
● Osforensics https://www.osforensics.com/download.html
System Informer
System Informer
System Informer, A free, powerful, multi-purpose tool that helps you monitor
system resources, debug software and detect malware.
NirSoft
View the content of Windows Prefetch (.pf) files
View the content of Windows Prefetch (.pf) files
cd c:\users%username%\desktop && fsutil usn readjournal c: csv | findstr /i
/c:.exe | findstr /i /c:0x80000200 >> DeletedF.txt && notepad DeletedF.txt cd
c:\users%username%\desktop && fsutil usn readjournal c: csv | findstr /i /c:.exe |
findstr /i /c:0x00000100 >> CreatedF.txt && notepad CreatedF.txt cd
c:\users%username%\desktop && fsutil usn readjournal c: csv | findstr /i /C:".pf" |
findstr /i /C:"0x80000200" >> DeletedPF.txt && notepad DeletedPF.txt - prefetch
cd c:\users%username%\desktop && fsutil usn readjournal c: csv | findstr /i
/C:".pf" | findstr /i /C:"%date%" | findstr /i /C:"net" /i /C:"net1" >> ProcessR.txt &&
notepad ProcessR.txt process restart cd c:\users%username%\desktop && echo
============= old file name ======== >> FIlesRNO.txt && fsutil usn
readjournal c: csv | findstr /i /c:.exe | findstr /i /c:0x00001000 >> FIlesRNO.txt &&
echo ============= new name files ========= >> FIlesRNO.txt && fsutil usn
readjournal c: csv | findstr /i /c:.exe | findstr /i /c:0x00002000 >> FIlesRNO.txt
rename files
[
10:37 PM
]
Get-ChildItem -Recurse $env:temp*.dll -ea SilentlyContinue| ForEach-object
{Get-AuthenticodeSignature $ -ea SilentlyContinue} | Where-Object {$.status -ine
"Valid"}|Select Status,Path - Checks for unsigned dlls Get-ChildItem -Recurse
$env:temp*.exe -ea SilentlyContinue| ForEach-object
{Get-AuthenticodeSignature $ -ea SilentlyContinue} | Where-Object {$.status -ine
"Valid"}|Select Status,Path - Checks for unsigned exes
● Services only*
get-service | findstr -i "pcasvc"; get-service | findstr -i "DPS"; get-service | findstr
-i "Diagtrack"; get-service | findstr -i "sysmain"; get-service | findstr -i "eventlog";
get-service | findstr -i "sgrmbroker": get-service | findstr -i "cdpusersvc"