[Blog] Concealed Information in the Windows Registry
10 July 2020 - Blog by Guus Beckers
Our investigators run into all kinds of sensitive information during red teaming engagements. Although this information is usually reserved for forensic data collection by law enforcement services, it is also of great value to attackers who are looking to infiltrate computer networks.
Gathering information to elevate privileges on key systems within an organisation is an integral part of the red teaming kill chain, specifically the “Discovery” and “Privilege escalation” phases. Information is collected, which in turn is used to pivot between systems within the larger network infrastructure.
In this blog Guus Beckers will describe how the Windows Registry conceals information which is of great value to potential attackers.
”Every contact leaves a trace”, this principle has been coined by Dr. Edmond Locard in the twentieth century. Since then it has become a cornerstone of the forensic sciences. Dr. Locard was referring to traces in the physical world, traces of blood, fibers of cloth and strands of hairs among others. However it is equally true in the domain of computer devices and computer networks with names of documents, network locations and system commands being just a few equivalent examples. All this information is entered without a second thought and retained by the operating system for the sake of convenience. When computer systems of employees are compromised these traces of information can be used by attackers to gain a greater understanding of the affected employee, computer system or computer network. One of the most important sources in the Windows operating system is the registry, it is a database and retains most system settings.
It stores a wide range of information such as:
- Information related to connected networks;
- Name and detailed network information on any (previously connected) wireless network;
- Contents of Open/Save dialog boxes (to get an overview of existing files);
- How often a program has been launched, the location of the program, even if it has been deleted or uninstalled;
- Software which is started when the computer boots;
- Connected devices;
- Connected USB storage devices.
With proper expertise, this knowledge can be found and reused.
1.2. Gathering sensitive information
Consider the following scenario, an executive is using his laptop and a hacker has managed to get a foothold on this laptop. One of the most valuable information sources is the Windows registry, it is at the core of the Windows operating system. It functions as the configuration database and keeps track of essential system files, installed applications, user settings and many other types of data. As such it contains a wealth of information. Although it is well protected, every single user account needs to have access to the registry in order to load vital parts of the operating system. Thus, every user account has access to the registry and is able to read data from it. The available data in the registry can be used for a wide variety of purposes.
Using a few system commands the attacker is able to view the list of previously connected wireless access points. As a convenience feature, Windows stores the location of previously connected networks to ensure it’ll also work during future visits. The hacker can see that the executive has visited a few hotels as well as multiple offices from his own company located in the United States. Time zone information obtained from the registry matches one of the offices, making it likely that the executive is based in the particular location. Digging deeper in the registry reveals the most commonly used computer applications of this user, including an older version of Microsoft Office with a few promising vulnerabilities. It’s likely that many devices within the company use the same version. The attacker now has a pretty good idea of what to do next and can use the same techniques (and other locations within the registry) to gather valuable information on other devices.
The next step is to scour the system for more information about the individual itself. An ideal source of information is the web browser history, it’ll inform the attacker about the most recent activities about the user including visited websites as well as the number of visits to the specific. This information, correlated with other time stamp information can inform an attacker about their target’s hobbies, work, family as well as a host of other interests. Web browsers contain sensitive data about individuals, using the collected data as well as its shared history (which includes downloaded files and search engine information), an attacker with no ethical qualms will be able to get a feeling for the individual’s desires and doubts. The acquired information can, in turn, be used during (spear) phishing campaigns. Obviously other files present on the device are also an attractive target for hackers, possibly revealing even more interesting information.
The exact scenario described above is fictitious but is doable to execute in a real encounter. All of the data described in the scenario can be obtained quite easily once the account of an employee gets compromised, the attacker is logged in with user privileges. The obtained information can be used a stepping stone to further infiltrate the organisation. The rules of prevention still apply, protect user accounts with a strong password, maintain security awareness and use best practices related to information security to protect your organisation.
If you have any questions concerning your information security, please contact us at firstname.lastname@example.org.