Windows Registry Forensics
Forensics analysis of windows registry
Summary
In this blog we will take a look at how to perform forensics analysis on windows registry system to discover malicious files or backdoors. To demonstrate this we will take an example from a Hackthebox challenge called Persistance.
Setup
Download the required zip file from the challenge and unzip it.
Checking the file type.
The file is "MS Windows registry" file type. It's a snapshot backup of the windows registry.
There are many tools to investigate windows registry. To install it in linux
After the installation lets move on towards analyzing
Forensics
Looking at the challenge name we got a hint, we need to discover a file in the windows registry that is used for persistence.
Creating registry keys that will execute an arbitrary payload during Windows logon is one of the oldest tricks in the red team playbooks. This persistence technique requires the creation of registry run keys. Various threat actors and known tools such as Metasploit, Empire and SharPersist provide this capability.
Registry keys can be added from the terminal to the run keys to achieve persistence. These keys will contain a reference to the actual payload that will executed when a user logs in. The following registry locations is known to be used by threat actors and red teams that use this method of persistence.
Example commands -
From the registry-tools repository we can use regshell to navigate around the registry
The "list" commands to list the keys or values in the current key. For persistence we can look for the values in the above example. Using the "cd" command navigate to -
Now listing the contents
It created a task called "Windows Update" in the registry with an executable on System32 filesystem called SFRCezFfQzRuX2t3M3J5XzRMUjE5aDd9.exe
This looks like an encoded string. Navigating to cyberchef to decode this.
The string was base64 encoded. We have the flag
In this blog we look at an example on how to analyze windows registry to hunt persistence backdoor and malware.
Thank you for reading ☺️
Last updated