For a college course in Incident Response More info: https://samsclass.info/152/152_F22.shtml

1. CNIT 152:
Incident
Response
12 Investigating Windows System
s
(Part 2)
Updated 11-10-22

2. Ch 12 Part 2
Ch 12 Part 3

3. The Windows Registry

4. Purpose
• The registry contains con
fi
guration data for
the Windows operating system and
application
s
• Many artifacts of great forensic value

5. Hive Files
• Binary
fi
les that store the Registr
y
• Five main registry hives in
%SYSTEMROOT%system32con
fi
g
• SYSTEM, SECURITY, SOFTWARE, SAM, DEFAUL
T
• User-speci
fi
c hive
fi
les in each user's pro
fi
le
director
y
• UsersusernameNTUSER.DA
T
• UsersusernameAppDataLocalMicrosoft
WindowsUSRCLASS.DAT

6. Windows Pro
fi
les
• Created the
fi
rst time a user interactively logs
on to a syste
m
• Users who connect over the network don't
create a pro
fi
le folder

7. Terms
Keys Values Data

8. The Five Root Keys

9. HKEY_USERS

10. Virtual Key Paths
• Dynamically created in a running syste
m
• Not visible on a registry captur
e
• HKEY_Current_Use
r
• Links to HKEY_USERS{SID}
• HKLMSYSTEMCurrentControlSe
t
• Links to HKLMSYSTEMControlSetNN
N
• HKEY_CLASSES_ROO
T
• Merges two subkeys

11. Registry Timestamps
• Only one: LastWriteTim
e
• Stored on a key, not valu
e
• Changed when any value under the key is
added, removed, or change
d
• But not when subkeys' values are modi
fi
ed

12. Example
• Run key: programs that launch on system startu
p
• Cannot determine when these three Run items
were added, without other evidence

13. More Limitations
• Windows frequently updates the
LastUpdateTime for large swaths of registry
key
s
• During updates, and sometimes even from
a reboo
t
• Attackers cannot easily change registry
timestamps, although SetRegTime can do
thi
s
• Link Ch 12o

14. Registry Re
fl
ection and
Redirection
• 64-bit Windows allows 32-bit software to ru
n
• 32-bit programs are redirected by the W0W64
sybsystem to alternate registry keys, lik
e
• HKLMSOFTWAREWoW6432Nod
e
• This means 32-bit forensic software won't see
the whole Registry

15. Important Registry Keys

16. System Con
fi
guration
Registry Keys

17. Basic System Information
• Computer Nam
e
• HKLMSystemCurrentControlSet
ControlComputernam
e
• Windows Versio
n
• HKLMSoftwareMicrosoftWindows NT
CurrentVersio
n
• Time Zon
e
• HKLMSystemCurrentControlSet
ControlTimeZoneInformation

18. Basic System Information
• List of Installed Application
s
• HKLMSoftwareMicrosoftWindows
CurrentVersionUninstall{Appname}
• Mounted Devices (with drive letters
)
• HKLMSystemMountedDevices

19. USBSTOR
• Shows every USB device that has been
connecte
d
• A forensic examiner should look here
fi
rst, to
fi
nd out what other devices should be
requested for discovery, by court order or
search warrant

20. Network Information
• Network adapter con
fi
guratio
n
• Wireless networks previously use
d
• Share
s
• Firewall settings

21. User and Security
Information
• Audit polic
y
• Pro
fi
le folder pat
h
• Group membership

22. Shim Cache

23. Shim Cache
• Also called "Application Compatibility Cache
"
• Used to track special compatibility settings
for executable
fi
les and script
s
• May include
:
• File name, path, and siz
e
• Last modi
fi
ed dat
e
• Whether the
fi
le actually ran on the system

24. Shim Cache
• Maintained in memory, written to the registry
on shutdow
n
• Maintains up to 1024 entrie
s
• More than Prefetch (128
)
• includes apps that haven't executed ye
t
• Next two slides from link Ch 12a

27. Ch 12b-1

28. Common Auto-Run Registry
Keys

29. Auto-Run Keys
(Auto-Start Extensibility Points)
• Load programs on system boot, user login,
and other condition
s
• Commonly used by malware to attain
persistenc
e
• Windows provides hundreds of registry-
based persistence mechanism
s
• Some are still undocumented

30. Services
• Most common and widely used persistence
mechanis
m
• Services run in the backgroun
d
• Usually under one of these login account
s
• Local System (most powerful
)
• Network Syste
m
• Local Service

31. Services in the Registry
• Each service has its own subkey unde
r
• HKLMCurrentControlSetservicesservicenam
e
• With this information
:
• DisplayName and Descriptio
n
• ImagePat
h
• How service start
s
• Type of service, such as driver or process

32. ServiceDLL
• Most services are DLL, not EXE
fi
les

33. Service Control Manager
• Services.ex
e
• Launches Windows services upon startu
p
• Command-line "sc" command lets you
examine, start, stop, and create services

34. sc at Command line

35. Services GUI

36. One EXE Can Run Several
Services

37. Four Common Run Keys

38. Active Setup
• Facilitates software installation and update
s
• Subkeys named with GUIDs (long random-looking
numbers
)
• Malware authors often re-use GUIDs so Googling them
can be usefu
l
• StubPath points to an EXE that will run on startup

39. AppInit_DLLs
• DLLs that will be automatically loaded whenever
a user-mode app linked to user32.dll is
launche
d
• Almost every app uses user32 to draw
windows, etc. (link Ch 12p)

40. AppInit_DLLs
• Starting in Windows 8, the AppInit_DLLs
infrastructure is disabled when secure boot is
enable
d
• Secure boot is a UEFI protocol and not a
Windows 8 feature.

41. LSA (Local Security
Authority) Packages
• Load on startu
p
• Intended for authentication packages, but can
be used to launch malware

42. Browser Helper Objects
(BHOs)
• Add-ons or plug-ins for Internet Explore
r
• Such as toolbars, adware, scarewar
e
• No longer supported in Edge

43. Shell Extensions
• Like Browser Helper Objects, but for
Windows Explore
r
• Add context items when right-clicking a
fi
l
e
• Found at
:
• HKCRCLSID{CLSID}InprocServer32
• HKCR{sub-key}shellex

44. Shell Extensions

45. Winlogon Shell
• The shell that loads when a user logs o
n
• Normally set to Explorer.ex
e
• Can be set to any executable
fi
le

46. Winlogon Userinit
• Loads logon and group policy scripts, other
auto-runs, and the Explorer shel
l
• Attackers can append additional executables
to this value

47. Identifying Malicious
Auto-Runs
• Eyeball it, looking for suspicious
fi
les or
paths, spelling errors, broken English, etc
.
• Risky; real commercial software is often
sloppily made, and some attackers are
carefu
l
• Next slide: which item is malicious?

48. A
B
C
D

49. Real DLL is iprip.dll
Spelling error but genuine
No description, runs from Temp, but genuine

50. Recommended Steps
1. Exclude persistent binaries signed by trusted
publishers (but not all signed binaries
)
2. Exclude persistent items created outside the
time window of interes
t
3. Examine paths of remaining persistent binarie
s
• Attackers tend to use Temp folders or
common directories within %SYSTEMROOT
%
• Not deeply nested subdirectories speci
fi
c to
obscure third-party applications

51. Recommended Steps
4. Research MD5 hashes for remaining
persistent binaries on VirusTotal, Bit9, etc
.
5. Compare remaining unknowns against a
known "gold image" used to install the
systems

52. Best Tool
• Sysinternals AutoRuns

53. Signed Malware
• Attackers have been stealing code-signing
signatures, and signing malwar
e
• Also, not all legitimate persistent
fi
les, even
Windows components, are signe
d
• Sometimes updates remove signatures

54. Ch 12b-2

55. User Hive Registry Keys

56. Personalization
• User hive registry keys contain
personalization settings for each use
r
• First priority: examine compromised
account
s
• Acquire NTUSER.DAT and USRCLASS.DA
T
• Check machine accounts, such as
NetworkService and LocalSyste
m
• May also contain evidence

57. Most Helpful User-Speci
fi
c
Keys
• Shellbag
s
• UserAssis
t
• MUICach
e
• Most Recently Used (MRU
)
• TypedURL
s
• TypedPaths

58. Shellbags
• Used to remember size,
position, and view settings of
window
s
• Persist even if a directory is
delete
d
• Saved in a user’s pro
fi
le
registry hive

59. Shellbags Contain
• Full directory paths accessed via Explore
r
• Date and time of acces
s
• Modi
fi
ed, Accessed, and Created times of
each path recorded when the access
occurre
d
• Such historical records are very useful to
track attacker actions

60. Example Shellbags
• Link Ch 12q

61. UserAssist
• Tracks applications a user has launched through
the Windows Explorer shel
l
• Populates Start menu with frequently launched
programs

62. UserAssist v. Prefetch
• UserAssist only tracks items opened via
Explore
r
• Including from the Run box and Start men
u
• But not from the command promp
t
• Prefetch
fi
les don't identify which user
executed a program

63. Obfuscated with ROT13

64. MUICache
• Multilingual User Interfac
e
• Another list of programs executed by a use
r
• HKEY_USERS{SID}_ClassesLocalSettingsSoftware
MicrosoftWindowsShellMuiCache

65. Most Recently Used
(MRU) Keys
• Used by
many
application
s
• No standard
registry
path or
value
naming
convention

66. MRU-Blaster
• Clears
the MRU
lists
(link Ch
12r)

67. Explorer Open and Save
MRU
• Files and folders most recently accessed in
the Open and Save dialog menu
s
• RegRipper can
fi
nd the data

68. Start Menu Run MRU
• Programs recently launched from the Run bo
x
• Human-readabl
e
• HKEY_USERS{SID}SoftwareMicrosoftWindows
CurrentVersionExplorerRunMRU

69. RecentDocs
• Recently opened documents (any
fi
le
extension
)
• Used to populate File menu of various
application
s
• HKEY_USERS{SID}SoftwareMicrosoft
WindowsCurrentVersionExplorer
RecentDocs

70. Internet Explorer
TypedURLs & TypedPaths
• Used to populate the address bar drop-down
list in Internet Explore
r
• May contain URLs and paths to local
fi
le
s
• HKEY_USERS{SID}SoftwareMicrosoft
InternetExplorerTypedURL
s
• HKEY_USERS{SID}
SoftwareMicrosoftInternetExplorer
TypedPaths

72. Proves Intent
• User typed (or pasted) these URLs into the
address ba
r
• Didn't just click a link

73. Remote Desktop MRU
• Used to remotely control Windows machine
s
• Maintains history of recent connections and
con
fi
guration dat
a
• May tell you where a user connected and who
they attempted to log in as

74. Registry Analysis Tools

75. All-In-One Tools
• RegRipper (link Ch 10m
)
• Windows Registry Decoder (link Ch 12s
)
• AutoRun
s
• Velociraptor

76. Single-Purpose Utilities
• ShimCacheParse
r
• Shellbags.p
y
• sba
g
• UserAssis
t
• Nirsoft Registry Analysis Tools

77. Ch 12b-3