Scribd
Upload
19 views6 pages

Rameshbihari

Uploaded by

hzramesh9
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
19 views6 pages

Rameshbihari

Uploaded by

hzramesh9
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

CHEAT DETECTION

**Guide by: primeRizz**This is a general guide. I am also learning and will improve it in the future.

1. OUTSTANDING TOOLS
Powerful tools for forensic analysis, memory inspection, and detecting hidden cheats.

• OSForensics – Download\ Search files, recover deleted items, detect cheat installers.

• Volatility Workbench – Download\ GUI for memory forensics; inspect RAM for hidden processes and
injected code.

• FTK Imager – Download\ Capture memory (memdump), preview hidden files, folders, and registry
entries.

• Magnet RAM Capture – Download\ Capture live RAM to detect memory-only cheats.

• Canary – Download\ Real-time process monitor, detects DLL injections and suspicious activity.

2. GENERAL TOOLS
Lightweight tools for investigating executed programs, services, and cached apps.

• BAM-Parse – Download\ Parses Windows BagMRU and BAM entries to show recently executed programs
and file usage.

• Prefetch-Parser – Download\ Analyzes Windows Prefetch files to identify recently run programs.

• Paths-Parser – Download\ Parses Windows path and MRU records to track executed files.

• Journal-Trace – Download\ Reads NTFS USN journal to track file creation and deletion events.

• WinLiveInfo.exe – Download\ Displays live information about running processes, user activity, and
active sessions.

• Service-Execution.exe – Download\ Lists executed services and their associated binaries.

• CachedProgramsList.exe – Download\ Shows programs stored in Windows cache.

1
• Eric Zimmerman Tools – Download\ Forensic utilities for parsing logs, registries, timelines, and memory
artifacts.

• Nirsoft Tools – Download\ Inspect browser history, network connections, passwords, and system
artifacts.

3. NETWORK TOOLS
Tools for monitoring, capturing, and analyzing network activity related to cheats.

• GlassWire – Download\ Visual network monitor with alerts for new connections.

• NetworkMiner – Download\ Passive packet capture and host/port analysis.

• HxD – Download\ Hex editor for analyzing raw data in files, memory, and network captures.

• Volatility Workbench – Download\ Memory inspection for hidden network or memory-resident cheats.

4. COMMAND PROMPT & POWERSHELL COMMANDS

4.1 Command Prompt

• System Info: systeminfo | find /i "install date"


• Deleted Executables:

fsutil usn readjournal c: csv | findstr /i /c:.exe | findstr /i /c:0x80000200 >>


DeletedExes.txt
fsutil usn readjournal c: csv | findstr /i /c:.dll | findstr /i /c:0x80000200 >>
Deleteddll.txt

• Created Executables on Desktop:

cd c:\users\%username%\desktop && fsutil usn readjournal c: csv | findstr /i /


c:.exe | findstr /i /c:0x00000100 >> CreatedF.txt && notepad CreatedF.txt

• User & Permissions Info:

whoami
whoami /user
net users
net localgroup administrators
net group /domain [groupname]

2
net user /domain [username]
wmic sysaccount
wmic useraccount get name,SID
wmic useraccount list

• Processes & Network: tasklist , ipconfig , netstat , quser

4.2 PowerShell

• Network Monitoring: netstat -abno , netstat -b , Get-Counter -Counter "\Network


Interface(*)\Bytes Received/sec","\Network Interface(*)\Bytes Sent/sec"
• Established Connections:

Get-NetTCPConnection -State Established |


Select-Object LocalAddress, LocalPort,
RemoteAddress, RemotePort, State,
@{Name='ProcessName';Expression={(Get-Process -Id
$_.OwningProcess).ProcessName}},
@{Name='ProcessPath';Expression={(Get-Process -Id
$_.OwningProcess).Path}} |
Sort-Object RemoteAddress

• Structured View with Grid:

Get-NetTCPConnection |
Where-Object State -ne 'Bound' |
Select-Object LocalAddress, LocalPort,
RemoteAddress, RemotePort, State,
OwningProcess,
@{Name='ProcessName';Expression={(Get-Process -Id
$_.OwningProcess).ProcessName}} |
Out-GridView -Title 'Active Network Connections'

• Kill Process: Stop-Process -Name "maliciousProcess"


• PowerShell Logs:
Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | Where-Object
{ $_.Message -like "*EncodedCommand*" }
• DNS Cache: Get-DnsClientCache
• Process Signature: Get-Process | Select-Object Name, Path,
@{Name="IsSigned";Expression={(Get-AuthenticodeSignature $_.Path).Status}}
• Recent File Changes:
Get-ChildItem C:\ -Recurse | Where-Object { $_.LastWriteTime -gt (Get-
Date).AddDays(-1) }

3
5. EVENT VIEWER & SYSINTERNALS
Sysmon (System Monitor) –
*************************************************************************************************************
Logs detailed system activity to the Windows Event Log, including processes, network connections, and file
changes.

5.0 Installing & Configuring Sysmon

Sysmon64.exe -i -accepteula
Sysmon64.exe -i sysmonconfig.xml -accepteula
Sysmon64.exe -c sysmonconfig.xml
Sysmon64.exe -u

5.1 Common Windows Event IDs

Log Type Event ID Description

Security 4616 System time changed

Security 1102 Security log cleared

Security 1100 Services shut down unexpectedly

Security 4634 Account logoff

Security 4672 Special privileges assigned to new logon

Security 4656 Handle to an object was requested

Security 4688 New process created

Security 7045 A service was installed

Application 1000 Application crash

Application 3079 Application log cleared

System 7034 Service crash

System 104 System log cleared

PowerShell 4103 PowerShell pipeline execution

PowerShell 4104 PowerShell script block executed

5.2 Network-Related Event IDs

• NetworkProfile (Operational): 10000 (Connected), 10001 (Disconnected)


• WLAN-AutoConfig (Operational/Analytic): 8000–8003 (Connection attempts, successes,
disconnects), 8005 (Authentication errors)

4
• NDIS (Operational): 4201 (Adapter enabled), 27 (Adapter error), 4000–4007 (DHCP activity)

5.3 Accessing Event Logs

1. Launch Event Viewer: eventvwr.msc


2. Enable Analytic/Debug logs: View → Show Analytic and Debug Logs
3. Navigate:

Applications and Services Logs ▶ Microsoft ▶ Windows ▶


• NetworkProfile ▶ Operational
• WLAN‑AutoConfig ▶ Operational (enable Diagnostics manually)
• NDIS ▶ Operational
• Diagnostics‑Networking

1. Filter by Event ID for quick analysis.

5.4 Useful Sysmon Event IDs

Event ID Description

1 Process creation

2 File creation time changed

3 Network connection detected

5 Process terminated

6 Driver loaded

7 Image loaded

8 CreateRemoteThread detected

10 Process access detected

11 File created

12 Registry object added/modified

13 Registry value set

22 DNS query

23 File delete

255 Sysmon service started

5
6. REGISTRY KEYS
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store – Compatibility history.
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings – BAM
user activity.
• HKEY_CURRENT_USER\Software\Classes\Local
Settings\Software\Microsoft\Windows\Shell\MuiCache – Recently used applications.
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU –
Recently run commands.
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\ShowJumpView
– Jump list view usage.
• HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet – Default browsers.
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\VolumeInfoCache – Indexed
volume info.

End of Guide – Guide by primeRizz Will improve this in future for sure. This is the first version and may contain
mistakes. Thank you.

You might also like