Threat Hunting for Windows Registry

Source : https://www.goabc.org/canada-lynx/

The registry is a file system by Microsoft Windows operating systems that stores application settings, low-level system settings, and user preferences.

Registry Structure:
• Hives: contain keys (directories) and values
• Keys: might contain subkeys and/or values
• Subkeys: no difference between key and subkey structure
• Values: store data

Registry ROOT Keys:
• HKEY_CLASSES_ROOT
• HKEY_CURRENT_USER
• HKEY_LOCAL_MACHINE
• HKEY_USERS

Source : https://www.computerhope.com/jargon/r/registry.htm

Common Hive Locations:
• HKLM\SECURITY:%SystemRoot%\system32\config\ SECURITY
• HKLM\SOFTWARE: %SystemRoot%\system32\config\SOFTWARE
• HKLM\SYSTEM: %SystemRoot%\system32\config\SYSTEM
• HKLM\SAM: %SystemRoot%\system32\config\SAM
• HKU\DEFAULT: %SystemRoot%\system32\config\DEFAULT
• HKU\UserProfile: <profiles folder>\NTUSER.DAT

HKEY_LOCAL_MACHINE Subkeys:
BCD: Boot configuration data replacing boot.ini
HARDWARE: maintains descriptions of the system’s hardware and all hardware device-to-driver mappings.
SAM: holds local account and group information.
SECURITY: stores system-wide security policies and user-rights assignments.
SOFTWARE: stores system-wide configuration information not needed to boot the system.
SYSTEM: contains the system-wide configuration information needed to boot the system.

Default Security Identifier(s) or SIDs;
• S-1–0–0 (Nobody): A group with no members
• S-1–1–0 (Everyone): A group that includes all users
• S-1–2–0 (Local): Users who logged on locally
• S-1–2–1 (Console Logon): Users on the physical console
• S-1–3–0 (Creator Owner): The user who created a new object
• S-1–3–1 (Creator Group): The primary group of the user who created a new object
• S-1–5–2 (Logon Network): Users logging on via network
• S-1–5–7 (Anonymous): Anonymous logged on users
• S-1–5–18 (Local System): The OS itself
• S-1–5–19 (Local Service): Service account
• S-1–5–20 (Network Service): Service account Installation dependent
• S-1–5–21-xxxxx-500: System’s Administrator
• S-1–5–32–544 (Administrators): Group of all administrators

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-azod/ecc7dfba-77e1-4e03-ab99-114b349c7164

Windows Computer Name Check
• SYSTEM\ControlSet00#\Control\ComputerName\ ComputerName

Windows Services Check
● SYSTEM\ControlSet00#\Service\
● SYSTEM\ControlSet00#\Service\<name>\Start

Value that determines how the service will behave:
● 0=boot
● 1 = system
● 2 = automatic
● 3 = manual
● 4 = disabled

Windows DHCP IP Address Check
● SYSTEM\ControlSet00#\Services\Tcpip\Parameters\Interfaces\{GUID}\DhcpIPAddress

Autoruns Check
To find which programs are started automatically when the system is turned on;
●HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run/RunOnce
●HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RunOnce

Remote Desktop
1 = RD is turned OFF 0 = RD is turned ON
● SYSTEM\ControlSet###\Control\TerminalServer\ fDenyTSConnections

Installed Applications Check
● HKLM\SOFTWARE\Microsoft\Windows\C.V.\App Paths
● HKLM\SOFTWARE\Microsoft\Windows\C.V.\Uninstall

Windows Recycle Bin Status
The settings are: 1 = bypass Recycle Bin 0 = move to Recycle Bin
●NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{GUID}\NukeOnDelete

IE TypedURLs
URLs entered in Internet Explorer (IE) can be found here.
● NTUSER.DAT\Software\Microsoft\Internet Explorer

IE Browser Settings
More IE Browser Settings and artifacts such as:
• Local page
• Start page
• Tabs
● NTUSER.DAT\Software\Microsoft\Internet Explorer\Main

Windows Firewall Check
The value 0 means OFF while 1 means it is ON.
● Private (standard)
SYSTEM\ControlSet###\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall
● Public
SYSTEM\ControlSet###\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall
● Domain
SYSTEM\ControlSet###\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall

https://docs.microsoft.com/tr-tr/windows/security/threat-protection/auditing/event-4957

Network Types
1 — Wired, 2 — Broadband, 3 — Wireless
●HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Profiles

Network History
●HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Nla\Cache

Last User Logged In
●SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLogged OnUser

Mounted Devices;
● HKLM\SYSTEM\MountedDevices

Drive Letters and Volume Names:
● SOFTWARE\Microsoft\Windows Portable Devices\Devices

Thank you again for reading. See you soon :)

https://tenor.com/view/keanu-reeves-thank-you-gif-18255532

https://tenor.com/view/keanu-reeves-thank-you-gif-18255532

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alican Kiraz

Blue Team Lead | CSIE | CSAE | CASP+ | eCIR | eWPTXv2 | eCTHPv2 | OSWP | Pentest+ | CySA+ | Security+ | CEH Master | CEHv10 | ISO27001 IA