whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/Forensics/Windows Registration.md

251 lines
9.3 KiB
Markdown
Raw Blame History

# Windows Registry
* [Windows Forensics Cheat Sheet](https://user-images.githubusercontent.com/58165365/157232143-3c8785ec-164b-4843-bde8-9d9a22350159.png)
## Regedit Keys
* HKEY_CURRENT_USER (HKCU), inside HKU
* HKEY_USERS (HKU)
* HKEY_LOCAL_MACHINE (HKLM)
* HKEY_CLASSES_ROOT (HKCR), stored in HKLM and HKU
* `HKEY_CURRENT_USER\Software\Classes` for settings of interactive user
* `HKEY_LOCAL_MACHINE\Software\Classes` to change default settings
* HKEY_CURRENT_CONFIG
## Paths
These parts of the registries are called hives. They can be found under `C:\Windows\System32\Config`.
* Default -> `HKEY_USERS\DEFAULT`
* SAM contains account names/status/groups, hashed password, login timestamps -> `HKEY_LOCAL_MACHINE\SAM`
* SECURITY -> `HKEY_LOCAL_MACHINE\Security`
* SOFTWARE -> `HKEY_LOCAL_MACHINE\Software`
* SYSTEM -> `HKEY_LOCAL_MACHINE\System`
* `C:\Users\<username>\`
* NTUSER.DAT -> `HKEY_CURRENT_USER`, hidden file
* `C:\Users\<username>\AppData\Local\Microsoft\Windows`
* USRCLASS.DAT -> `HKEY_CURRENT_USER\Sofware\CLASSES`, hidden file
* `C:\Windows\AppCompat\Programs\Amcache.hve`
* `C:\Windows\security\database\`
* `secedit.sdb`, access control configuration
### Transaction Logs
* Transaction `<name of registry hive>.LOG` of the registry hive
Saved inside the same directory which is `C:\Windows\System32\Config`, as the
hive which was altered.
### Backups
* Saved every ten days
* Look out for recently deleted or modified keys
* `C:\Windows\System32\Config\RegBack`
## Data Acquisition
Multiple tools with their own strengths and weaknesses should be chosen to acquire
the registry data, no matter if it is a live or a copied acquisition. Commonly
used tools are the following ones.
* [Autopsy](https://www.autopsy.com/)
* [FTK Imager](https://www.exterro.com/ftk-imager), does not copy `Amcache.hve` when `Obtain Protected Files` has been chosen, copy them manually as an export from the file tree of the chosen image
[KAPE](https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape),
preserves directory tree.
Following parts of EZTools should be taken note of.
* Registry Viewer
* Zimmerman's Registry Explorer, uses transaction logs as well
* AppCompatCache Parser
* RegRipper, cli and gui
## System Information
* OS Version -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion`
* Computer Name -> `SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName`
* Time Zone `SYSTEM\CurrentControlSet\Control\TimeZoneInformation`
* Network Interfaces -> `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces`
* Past connected networks -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged` and `SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed`
* Services -> `SYSTEM\CurrentControlSet\Services`
* Service will start at boot with `start` key value `0x02`
* Users, SAM -> `SAM\Domains\Account\Users`
### Control Sets
* `ControlSet001` -> last boot
* `ControlSet002` -> last known good
* `HKLM\SYSTEM\CurrentControlSet` -> live
* Can be found under:
* `SYSTEM\Select\Current` shows the used control set
* `SYSTEM\Select\LastKnownGood`
## Autostart Programs
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run`
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce`
* `SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce`
* `SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run`
* `SOFTWARE\Microsoft\Windows\CurrentVersion\Run`
Run program on login for the current user
```
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
```
Run program on login for any user
```
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
```
Run program on login once for the current user
```
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
```
Run program for on login once for any user
```
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
```
## Recent Files
Recently accessed documents can be found under the following path, e.g. xml,
pdf, jpg.
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`
* Office files -> `NTUSER.DAT\Software\Microsoft\Office\VERSION`, `NTUSER.DAT\Software\Microsoft\Office\15.0\Word`
* Office 365 -> `NTUSER.DAT\Software\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU`
## ShellBags
Use something like shellbag explorer as a tool to display information from shellbags.
* `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags`
* `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU`
* `NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU`
* `NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags`
## Last Open/Saved/Visited Dialog MRUs
Content of dialog windows is stored in the following folders and last
visited/saved paths.
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU`
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU`
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastSavedPidlMRU`
## Explorer Address/Search Bars
Registry folder which includes paths typed by the user.
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths`
Registry folder which includes search queries from file explorer.
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery`
## User Assist
GUI applications launched by the user (and the number of usage) listed by
GUIDs can be found in the following folder.
* `NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count`
## Network
Network configuration can be found in the following path.
* `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\NetworkList`
## Domain Account Information
The NT Directory Services `NTDS.dit` hive is an active directory database which contains information about the domain users.
Information stored about the domain users are for example, their full name, the username the Security identifier (SID),(domain & local) group memberships, hashed passwords for user accounts, login timestamps, last set password, expiration time of the current password, security policies, OUs and connections to other domains.
To get information out of the `NTDS.dit` hive, it has to be exported along with the SYSTEM hive to get the boot key of the system for decryption.
Use `ntdsutil` tool to export a snapshot of the information.
```sh
C:\Windows\system32\ntdsutil.exe "activate instance ntds" "ifm" "create full C:\Windows\Temp\NTDS" quit quit
```
Export the boot key of the system and use it for decryption.
```sh
$BootKey = Get-BootKey -SystemHivePath 'C:\Windows\Temp\NTDS\registry\SYSTEM'
Get-ADDBAccount -All -DBPath 'C:\Windows\Temp\NTDS\NTDS.dit' -BootKey $BootKey
```
## Shim Cache
Application Compatibility, AppCompatCache
* `SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache`
* Use `AppCompatCacheParser.exe --csv <path to save output> -f <path to SYSTEM hive for data parsing> -c <control set to parse>`
## AmCache
* Information about recently run applications on the system
* `C:\Windows\appcompat\Programs\Amcache.hve`
* Last executed app -> `Amcache.hve\Root\File\{Volume GUID}\`
* Saves SHA1 of the last executed app
## Background Activity Monitor/Desktop Activity Moderator BAM/DAM
* Saves full path of executed apps
* `SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}`
* `SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID}`
## Devices
* Identification
* USB -> `SYSTEM\CurrentControlSet\Enum\USBTOR`, `SYSTEM\CurrentControlSet\Enum\USB`
* Device name -> `SOFTWARE\Microsoft\Windows Portable Devices\Devices`
* First time connected -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0064`
* Last time connected -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0066`
* Last removal time -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0067`
## Tools
* [Eric Zimmermann's Registry Explorer](https://ericzimmerman.github.io/#!index.md)
* hivedump
* hivex
* [AutoRuns](https://github.com/p0w3rsh3ll/AutoRuns) to check autorun paths for persistence
```sh
Get-Command -Module AutoRuns
CommandType Name Version Source
----------- ---- ------- ------
Function Compare-AutoRunsBaseLine 14.0 Aut...
Function Get-PSAutorun 14.0 Aut...
Function New-AutoRunsBaseLine 14.0 Aut...
```
## Clean a Dirty Hive
A hive which is not closed correctly is called dirty hive.
To clean a dirty hive the transaction logfile for the specific hive is needed.
The path these logs are stored in is `C:\Windows\System32\config`, they are
named after the hive they contain the logs for. These are not listed in the
file explorer, even if you have hidden files visible. List them via `dir /a`.
If a hive is loaded by a tool and the tool complains about a dirty hive, the
transaction log of said hive has to be loaded as well. Extract it via FTK or
KAPE alongside the hive itself.
Reference in New Issue View Git Blame Copy Permalink