8/23/2018

How Attackers Exploit the Sponsored by

Windows Registry for
Persistence, Hiding File-less
Malware, Privilege Elevation and
More

© 2018 Monterey Technology Group Inc.

 Made possible by

Thanks to

1
 8/23/2018

 A few quick facts about the registry

Preview of key  How the bad guys use the registry

points  Which keys?

 Utilities
 Registry auditing
 Beyond the security log

A few quick
facts about the 

Structure
Data storage capabilities
registry  Registry permissions
 32/64 bit

2
 8/23/2018

How the bad

guys use the 

Persistence
Storage
registry  Elevation
 Secrets

 Many, many keys in the registry allow you to define EXEs or

DLLs that are loaded at startup, logon, with certain applications
or according to other events
Persistence  Best source of a comprehensive list of such keys is Mark
Russonovich’s AutoRuns utility
 https://docs.microsoft.com/en-
us/sysinternals/downloads/autoruns
 Here’s a current list I extracted
 https://www.dropbox.com/s/rlzvhaaqrq9xyns/autoruns.txt?dl=0
 https://www.symantec.com/connect/articles/most-common-
registry-key-check-while-dealing-virus-issue

3
 8/23/2018

 https://www.welivesecurity.com/2017/05/15/malicious-registry-
Storage for keys-reflective-injection/

file-less  https://www.theregister.co.uk/2014/08/04/registryinfecting_reb
ootresisting_malware_has_no_files/
malware  https://www.redcanary.com/blog/windows-registry-attacks-
threat-detection/
 Exploiting Service Registry Permission’s Weaknesses to Establish
Persistence

 Microsoft Windows Consent User Interface Registry Key Local Privilege Escalation Vulnerability

 Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799)

 allow attackers to bypass an application sandbox protection mechanism and perform unspecified registry actions via a crafted
application, aka "Windows Registry Elevation of Privilege Vulnerability.“

 https://vulners.com/nessus/SMB_REG_WINLOGON_PERMISSIONS.NASL

 https://vulners.com/osvdb/OSVDB:334
 HKEY_LOCAL_MACHINE Key: SoftwareMicrosoftWindowsCurrentVersionApp Paths Key:
SoftwareMicrosoftWindowsCurrentVersionControls Folder Key: SoftwareMicrosoftWindowsCurrentVersionDeleteFiles Key:
SoftwareMicrosoftWindowsCurrentVersionExplorer Key: SoftwareMicrosoftWindowsCurrentVersionExtensions Key:
SoftwareMicrosoftWindowsCurrentVersionExtShellViews Key: SoftwareMicrosoftWindowsCurrentVersionInternet Settings
Key: SoftwareMicrosoftWindowsCurrentVersionModuleUsage Key: SoftwareMicrosoftWindowsCurrentVersionRenameFiles

Elevation Key: SoftwareMicrosoftWindowsCurrentVersionSetup Key: SoftwareMicrosoftWindowsCurrentVersionSharedDLLs Key:

SoftwareMicrosoftWindowsCurrentVersionShell Extensions Key: SoftwareMicrosoftWindowsCurrentVersionUninstall Key:
SoftwareMicrosoftWindows NTCurrentVersionCompatibility Key: SoftwareMicrosoftWindows NTCurrentVersionDrivers Key:
SoftwareMicrosoftWindows NTCurrentVersiondrivers.desc Key: SoftwareMicrosoftWindows NTCurrentVersionDrivers32

 Next user
 HKEY_LOCAL_MACHINE Key: SoftwareMicrosoftWindowsCurrentVersionRun Key:
SoftwareMicrosoftWindowsCurrentVersionRunOnce Key: SoftwareMicrosoftWindowsCurrentVersionRunOnceEx Key:
SoftwareMicrosoftWindows NTCurrentVersionAeDebug Key: SoftwareMicrosoftWindows NTCurrentVersionImage File
Execution Options Administrators Group: Full Control System: Full Control Everyone: Read
 Short Description
 It is possible for non-administrative users to create a program and set it to run by the next user who logs on. Unauthorized
access rights could be obtained if the next user to log on has administrative rights.

 https://vulners.com/api/v3/search/id/?id=SMB_REG_RUN_PERMISSIONS.NASL

 Services with Vulnerable Privileges

 Windows services run as SYSTEM. So, their folders, files, and registry keys must be protected with strong access controls. In
some cases, we encounter services that are not sufficiently protected.
 nsecure Service Permissions
 It is very similar to previous Insecure Registry Permissions example. Instead of changing service’s “ImagePath” registry value directly we will do it with
modifying service properties.

 AlwaysInstallElevated

 ensure that only Administrators may set registry key values under HKLM\Software\Clsid - Interactive only needs the read permission. On
web servers that allow publishing, it is crucial to ensure that these issues don't exist as this attack can be launched using ASP.

4
 8/23/2018

 Besides, Mimikatz this is dependent on scripts and applications

Secrets that store cleartext passwords in the registry
 Attackers will search the registry for values and keys named
“password”, “key”, “credential” …

Registry
security  Permissions
 Auditing

5
 8/23/2018

 Analogy to file system

 Registry Keys = Folders
Registry  Registry Values are like Files
permissions  Permissions on Keys flow
down like inheritance on file
system
 Different
 Files can individually have
permissions, not so values

Registry
permissions

6
 8/23/2018

Registry  Audit policy

auditing  Security log events
 Group policy

Audit policy at
the system
level

7
 8/23/2018

 Similar to folders on a file system, each registry key has an audit

control list
 Defined in terms of permissions used

Audit policy at
the key level

4656 A handle to an object was requested

4657 A registry value was modified

Registry audit 4658 The handle to an object was closed

events 4659 A handle to an object was requested with intent to delete

4660 An object was deleted

4663 An attempt was made to access an object

4670 Permissions on an object were changed

8
 8/23/2018

Control
registry key
permissions
and audit
policy centrally
via Group
Policy

 Also provides auditing of registry keys and values

Sysmon  Requires installation of sysmon
 Configuration controlled by xml config file instead of group
policy

9
 8/23/2018

 Don’t think you are going to monitor each change to the registry
on even one system – let alone thousands
 Even autoruns
 Don’t monitor new systems until everything installed
 Then classes of similar systems will settle into a routine of which
What should autorun keys are modified on a regular basis
you do?  Especially with upgrades
 How to catch file-less malware using the registry for storage?
 Scan for large data values?
 Cat-and-mouse
 Attackers may

 Pay attention to which EXEs modify the registry and which keys
 Baseline that
 Do your own hunts for secrets improperly stored in the registry

 There’s not much you can do in terms of preventing these

attacks through stronger registry key permissions without
breaking the system.
 So, it largely comes down to monitoring
Bottom line
 Windows security log auditing of the registry is a start but is
complex and provides no reporting or analysis
 Jeff Melnick will show you how Netwrix Auditor makes it easy to
monitor for registry based attacks
 Registry auditing is a tiny fraction of the depth and breadth of
visibility Netwrix Auditor provides

© 2018 Monterey Technology Group Inc.

10
 8/23/2018

Netwrix Auditor
Visibility platform for user behavior analysis
and risk mitigation

Netwrix Auditor

About Netwrix A visibility platform for user behavior analysis and risk mitigation

Auditor that enables control over changes, configurations, and access in

hybrid IT environments.

It provides security intelligence to identify security holes, detect

anomalies in user behavior and investigate threat patterns in time

to prevent real damage.

© 2018 Monterey Technology Group Inc.

11
 8/23/2018

Netwrix Auditor Platform

Netwrix Auditor
Unified Platform Netwrix Auditor for
Active Directory
Netwrix Auditor for
Azure AD
Netwrix Auditor for
Exchange
Netwrix Auditor for
Office 365

Netwrix Auditor for Netwrix Auditor for Netwrix Auditor for Netwrix Auditor for
Windows File Servers EMC NetApp SharePoint

Netwrix Auditor for Netwrix Auditor for Netwrix Auditor for Netwrix Auditor for
Oracle Database SQL Server Windows Server VMware

© 2018 Monterey Technology Group Inc.

Registry
Changes

© 2018 Monterey Technology Group Inc.

12
 8/23/2018

Windows
Server
Configurations

© 2018 Monterey Technology Group Inc.

Netwrix
Auditor Alerts

© 2018 Monterey Technology Group Inc.

13
 8/23/2018

Changes to
Local Users
and Groups

© 2018 Monterey Technology Group Inc.

User Activity
Video
Recording

© 2018 Monterey Technology Group Inc.

14
 8/23/2018

Online TestDrive: experience Netwrix Auditor with no download or

installation required https://www.netwrix.com/browser_demo.html
Live One-to-One Demo: product tour with Netwrix expert
netwrix.com/livedemo

Contact Sales to obtain more information: netwrix.com/contactsales

Useful links

Webinars: join our upcoming webinars and watch the recorded

sessions
 netwrix.com/webinars
 netwrix.com/webinars#featured
© 2018 Monterey Technology Group Inc.

Your Employees
Are Your Biggest Risk
Security
Awareness
Program

© 2018 Monterey Technology Group Inc. https://www.netwrix.com/your_employees_are_your_biggest_risk.html

15