reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Hunt
- Suspicious path (AppData/Temp)
- Random filename
Red Flags
- Newly added autorun entry
- Encoded PowerShell
BLUE TEAM / DFI / ARTEFACT / WINDOWS / REGISTRY