Windows

Notes

Registry

• The Windows Registry is a collection of databases that contains the system's configuration data.

• A Registry Hive is a group of Keys, subkeys, and values stored in a single file on the disk.

• The registry on any Windows system contains the following five root keys:

  • HKEY_CURRENT_USER: Contains the root of the configuration information for the user who is currently logged on.

  • HKEY_USERS: Contains all the actively loaded user profiles on the computer.

  • HKEY_LOCAL_MACHINE: Contains configuration information particular to the computer (for any user).

  • HKEY_CLASSES_ROOT: The information that is stored here makes sure that the correct program opens when you open a file by using Windows Explorer.

  • HKEY_CURRENT_CONFIG: Contains information about the hardware profile that is used by the local computer at system startup.

• The majority of the hives are located in the C:\Windows\System32\Config directory and are:

  • DEFAULT (mounted on HKEY_USERS\DEFAULT)

  • SAM (mounted on HKEY_LOCAL_MACHINE\SAM)

  • SECURITY (mounted on HKEY_LOCAL_MACHINE\Security)

  • SOFTWARE (mounted on HKEY_LOCAL_MACHINE\Software)

  • SYSTEM (mounted on HKEY_LOCAL_MACHINE\System)

• The other hives that contain user information are located in:

  • C:\Users<username>\NTUSER.DAT (mounted on HKEY_CURRENT_USER when a user logs in)

  • C:\Users<username>\AppData\Local\Microsoft\Windows\USRCLASS.DAT (mounted on HKEY_CURRENT_USER\Software\CLASSES)

• Another very important hive is called the AmCache hive, which is located in C:\Windows\AppCompat\Programs\Amcache.hve and contains information on programs that were recently run on the system.

• The transaction logs can be considered as the journal of the changelog of the registry hive, which means that the transaction logs can often have the latest changes in the registry that haven't made their way to the registry hives themselves. The transaction log for each hive is stored as a .LOG file in the same directory as the hive itself. It has the same name as the registry hive, but the extension is .LOG.

• Registry backups are the opposite of Transaction logs. These are the backups of the registry hives located in the C:\Windows\System32\Config directory. These hives are copied to the C:\Windows\System32\Config\RegBack directory every ten days.

Useful registry keys

• NTUSER.DAT\Software\Microsoft\Office\VERSION - Office recent files

• NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs - Recent files

• SAM\Domains\Account\Users - Users

• SOFTWARE\Microsoft\Windows\CurrentVersion\Run - Autoruns

• SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce - Autoruns

• SOFTWARE\Microsoft\Windows NT\CurrentVersion - OS version

• SOFTWARE\Microsoft\Windows Portable Devices\Devices - USB device volume names

• SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName - Computer name

• SYSTEM\CurrentControlSet\Enum\USB - USB devices information

• SYSTEM\CurrentControlSet\Enum\USBSTOR - USB devices information

• SYSTEM\CurrentControlSet\Control\TimeZoneInformation - Time zone information

• SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces - Network interfaces

Resources

Articles

• Playing with PrintNightmare - 0xdf
• Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher
• Unofficial Guide to Mimikatz & Command Reference - Active Directory Security
• Windows Privilege Escalation Fundamentals - Ruben Boonen, Fuzzy Security

GitHub Repositories

• adPEAS - Powershell tool to automate Active Directory enumeration
• BloodHound - Six Degrees of Domain Admin
• Cain & Abel - password recovery tool for Microsoft Operating Systems
• enum4Linux - tool for enumerating data from Windows and Samba hosts
• enum4linux-ng - A next generation version of enum4linux
• Evil-WinRM - The ultimate WinRM shell for hacking/pentesting
• JAWS - Just Another Windows (Enum) Script
• JuicyPotatoNG - Another Windows Local Privilege Escalation from Service Account to System
• kerbrute - tool to perform Kerberos pre-auth bruteforcing
• mimikatz - A little tool to play with Windows security
• NanoDump - The swiss army knife of LSASS dumping
• Privesc - Windows batch script that finds misconfiguration issues which can lead to privilege escalation
• pypykatz - Mimikatz implementation in pure Python
• RegRipper3.0
• UACMe - Defeating Windows User Account Control
• Windows-Exploit-Suggester
• Windows-Privilege-Escalation - Windows Privilege Escalation Techniques and Scripts
• Windows Exploit Suggester - Next Generation
• Windows Exploits

Tools

• Registry Explorer - Eric Zimmerman

TryHackMe Rooms

• Active Directory Basics
• Attacktive Directory
• Blaster
• Bypassing UAC
• Ice
• KAPE
• Retro
• Windows Forensics 1
• Windows Fundamentals 1
• Windows Fundamentals 2
• Windows Fundamentals 3

Websites

• Active Directory Security
• LOLBAS - Curated list of every binary, script, and library that can be used for Living Off The Land techniques
• LOLDrivers - Curated list of Windows drivers used by adversaries to bypass security controls and carry out attacks
• Windows Virtual Machines

  • Windows 10 Enterprise
  • Windows 11 developer environment
  • Windows 11 Enterprise