Threat Hunting for Windows Registry
The registry is a file system by Microsoft Windows operating systems that stores application settings, low-level system settings, and user preferences.
Registry Structure:
• Hives: contain keys (directories) and values
• Keys: might contain subkeys and/or values
• Subkeys: no difference between key and subkey structure
• Values: store data
Registry ROOT Keys:
• HKEY_CLASSES_ROOT
• HKEY_CURRENT_USER
• HKEY_LOCAL_MACHINE
• HKEY_USERS
Common Hive Locations:
• HKLM\SECURITY:%SystemRoot%\system32\config\ SECURITY
• HKLM\SOFTWARE: %SystemRoot%\system32\config\SOFTWARE
• HKLM\SYSTEM: %SystemRoot%\system32\config\SYSTEM
• HKLM\SAM: %SystemRoot%\system32\config\SAM
• HKU\DEFAULT: %SystemRoot%\system32\config\DEFAULT
• HKU\UserProfile: <profiles folder>\NTUSER.DAT
HKEY_LOCAL_MACHINE Subkeys:
• BCD: Boot configuration data replacing boot.ini
• HARDWARE: maintains descriptions of the system’s hardware and all hardware device-to-driver mappings.
• SAM: holds local account and group information.
• SECURITY: stores system-wide security policies and user-rights assignments.
• SOFTWARE: stores system-wide configuration information not needed to boot the system.
• SYSTEM: contains the system-wide configuration information needed to boot the system.
Default Security Identifier(s) or SIDs;
• S-1–0–0 (Nobody): A group with no members
• S-1–1–0 (Everyone): A group that includes all users
• S-1–2–0 (Local): Users who logged on locally
• S-1–2–1 (Console Logon): Users on the physical console
• S-1–3–0 (Creator Owner): The user who created a new object
• S-1–3–1 (Creator Group): The primary group of the user who created a new object
• S-1–5–2 (Logon Network): Users logging on via network
• S-1–5–7 (Anonymous): Anonymous logged on users
• S-1–5–18 (Local System): The OS itself
• S-1–5–19 (Local Service): Service account
• S-1–5–20 (Network Service): Service account Installation dependent
• S-1–5–21-xxxxx-500: System’s Administrator
• S-1–5–32–544 (Administrators): Group of all administrators
Windows Computer Name Check
• SYSTEM\ControlSet00#\Control\ComputerName\ ComputerName
Windows Services Check
● SYSTEM\ControlSet00#\Service\
● SYSTEM\ControlSet00#\Service\<name>\Start
Value that determines how the service will behave:
● 0=boot
● 1 = system
● 2 = automatic
● 3 = manual
● 4 = disabled
Windows DHCP IP Address Check
● SYSTEM\ControlSet00#\Services\Tcpip\Parameters\Interfaces\{GUID}\DhcpIPAddress
Autoruns Check
To find which programs are started automatically when the system is turned on;
●HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run/RunOnce
●HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RunOnce
Remote Desktop
1 = RD is turned OFF 0 = RD is turned ON
● SYSTEM\ControlSet###\Control\TerminalServer\ fDenyTSConnections
Installed Applications Check
● HKLM\SOFTWARE\Microsoft\Windows\C.V.\App Paths
● HKLM\SOFTWARE\Microsoft\Windows\C.V.\Uninstall
Windows Recycle Bin Status
The settings are: 1 = bypass Recycle Bin 0 = move to Recycle Bin
●NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{GUID}\NukeOnDelete
IE TypedURLs
URLs entered in Internet Explorer (IE) can be found here.
● NTUSER.DAT\Software\Microsoft\Internet Explorer
IE Browser Settings
More IE Browser Settings and artifacts such as:
• Local page
• Start page
• Tabs
● NTUSER.DAT\Software\Microsoft\Internet Explorer\Main
Windows Firewall Check
The value 0 means OFF while 1 means it is ON.
● Private (standard)
SYSTEM\ControlSet###\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall
● Public
SYSTEM\ControlSet###\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall
● Domain
SYSTEM\ControlSet###\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall
Network Types
1 — Wired, 2 — Broadband, 3 — Wireless
●HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Profiles
Network History
●HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Nla\Cache
Last User Logged In
●SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLogged OnUser
Mounted Devices;
● HKLM\SYSTEM\MountedDevices
Drive Letters and Volume Names:
● SOFTWARE\Microsoft\Windows Portable Devices\Devices
Thank you again for reading. See you soon :)
https://tenor.com/view/keanu-reeves-thank-you-gif-18255532
