Registry

These artifacts collect information related to the windows registry.

Windows.Registry.AppCompatCache

Parses the system’s app compatibility cache.

Arg Default Description
AppCompatCacheKey HKEY_LOCAL_MACHINE/System/ControlSet*/Control/Sess …
View Artifact Source

Windows.Registry.EnableUnsafeClientMailRules

Checks for Outlook EnableUnsafeClientMailRules = 1 (turned on). This registry key enables execution from Outlook inbox rules which can be used as a persistence mechanism. Microsoft has released a patch to disable execution but attackers can reenable by changing this value to 1.

HKEY_USERS*\Software\Microsoft\Office*\Outlook\Security\EnableUnsafeClientMailRules = 0 (expected) https://support.microsoft.com/en-us/help/3191893/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro

Arg Default Description
KeyGlob Software\Microsoft\Office\*\Outlook\Security\ …
userRegex .
View Artifact Source

Windows.Registry.EnabledMacro

Checks for Registry key indicating macro was enabled by user.

HKEY_USERS*\Software\Microsoft\Office*\Security\Trusted Documents\TrustRecords reg keys for values ending in FFFFFF7F http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html

Arg Default Description
KeyGlob Software\Microsoft\Office\\\Security\Trust …
userRegex .
View Artifact Source

Windows.Registry.MountPoints2

This detection will collect any items in the MountPoints2 registry key. With a “$” in the share path. This key will store all remotely mapped drives unless removed so is a great hunt for simple admin $ mapping based lateral movement.

Arg Default Description
KeyGlob Software\Microsoft\Windows\CurrentVersion\Expl …
View Artifact Source

Windows.Registry.NTUser

This artifact searches for keys or values within the user’s NTUser.dat registry hives.

When a user logs into a windows machine the system creates their own “profile” which consists of a registry hive mapped into the HKEY_USERS hive. This hive file is locked as long as the user is logged in. If the user is not logged in, the file is not mapped at all.

This artifact bypasses the locking mechanism by parsing the raw NTFS filesystem to recover the registry hives. We then parse the registry hives to search for the glob provided.

This artifact is designed to be reused by other artifacts that need to access user data.

Any artifacts that look into the HKEY_USERS registry hive should be using the Windows.Registry.NTUser artifact instead of accessing the hive via the API. The API only makes the currently logged in users available in that hive and so if we rely on the windows API we will likely miss any settings for users not currently logged on.

Arg Default Description
KeyGlob Software\Microsoft\Windows\CurrentVersion\Expl …
userRegex .
View Artifact Source

Windows.Registry.NTUser.Upload

This artifact collects all the user’s NTUser.dat registry hives.

When a user logs into a windows machine the system creates their own “profile” which consists of a registry hive mapped into the HKEY_USERS hive. This hive file is locked as long as the user is logged in.

This artifact bypasses the locking mechanism by extracting the registry hives using raw NTFS parsing. We then just upload all hives to the server.

Arg Default Description
userRegex .
View Artifact Source

Windows.Registry.PortProxy

Description: This artifact will return any items in the Windows PortProxy service registry path. The most common configuration of this service is via the lolbin netsh.exe; Metaspoit and other common attack tools also have configuration modules.

Reference: [Port Proxy detection] (http://www.dfirnotes.net/portproxy_detection/)

ATT&CK: T1090 - Connection Proxy
Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure.

Arg Default Description
KeyGlob HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\services …
View Artifact Source

Windows.Registry.Sysinternals.Eulacheck

Checks for the Accepted Sysinternals EULA from the registry key “HKCU\Software\Sysinternals[TOOL]". When a Sysinternals tool is first run on a system, the EULA must be accepted. This writes a value called EulaAccepted under that key.

Note: This artifact uses HKEY_USERS and therefore will not detect users that are not currently logged on.

Arg Default Description
Sysinternals_Reg_Key HKEY_USERS\\Software\Sysinternals\
userRegex .
View Artifact Source

Windows.Registry.UserAssist

Windows systems maintain a set of keys in the registry database (UserAssist keys) to keep track of programs that executed. The number of executions and last execution date and time are available in these keys.

The information within the binary UserAssist values contains only statistical data on the applications launched by the user via Windows Explorer. Programs launched via the command­line (cmd.exe) do not appear in these registry keys.

From a forensics perspective, being able to decode this information can be very useful.

Arg Default Description
UserFilter If specified we filter by this user ID.
ExecutionTimeAfter If specified only show executions after this time.
UserAssistKey Software\Microsoft\Windows\CurrentVersion\Expl …
userAssistProfile {\n “Win10”: [0, {\n “NumberOfExecutions”: [4, …
View Artifact Source