Regscout
Windows Registry Forensics Scripts
These scripts were created as a way to pull and parse windows registry for forensics and characterization of an endpoint. While preparing them to be ingested into Elasticsearch backend and visualized in Kibana.
There have been 2 major milestones to these scripts to date:
-
Version 1.00 was the initial creation of getting it to work.
-
Version 2.00 was a major under taking to move this to the ECS aligned schema.
I have also spent more time during 2.00 versions to try and document the locations of the data, so even if the scripts are not used the cybersecurity community at large could potentially benefit from a consolidation of key registry artifacts.
I have also spent a lot of time creating a parser of the data that is collected so the end goal would be to have the data that is output requiring as little interpretation as possible. This is not always 100% done but this is my end goal for this project is to achieve this.
Windows Registry
Overview
What is the Windows Registry?
From Microsoft: "The registry is a system-defined database in which applications and system components store and retrieve configuration data."
In other words, this is the location that Operating System and Installed programs can store their configurations and possibly the history of a program/user/so has done.
Why is this important for us in the world of Cyber Defenders/Digital Forensics matter to us?
There is a ton of information that can be extracted from the registry if you know where to look. some of the big items that we can find in the registry include:
- Startup operations
- Current and Past networks connected to
- Recent user activities
- Devices connected to the system
- Printers that have been used
- Services and their properties/configurations
- Network shares connected to
- Persistence of malicious programs
This is just a short list of the items that we may find of interest in hunting through the Windows registry, but how do we go about and look into these items? There are so many registry entries in a windows system.
Windows helps keep things organized by splitting things up in separate registry hives.
There are a handful of hives that all have very important uses to the way the Window Operating System works.
- HKEY_CLASSES_ROOT (HKCR)
- Contains information about registered applications, this is a combination of the current_user and local_machine classes subkeys where the current user information will override a matching local_machine registry key.
- HKEY_CURRENT_USER (HKCU)
- Registry and settings of the current logged in user. Data here is pulled from the ntuser.dat file
- HKEY_LOCAL_MACHINE (HKLM)
- Stores settings that are specific to the local computer. These keys are loaded at boot located %systemroot%\system23\config folder
- HKEY_USERS (HKU)
- Similar to HKEY_CURRENT_USER but rather than the current logged in user it tracks all the profiles currently stored on the computer.
- HKEY_CURRENT_CONFIG (HKCC)
- Pointer to settings currently in use by the computer. Most of the items point to the HKLM hive. Changes made to HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current\ typically mirror the HKCC and vice versa.
The registry is your typical database where you have keys and values. - Keys are similar to folders in the filesystem. They are used as a way to organize the data in the registry - Values are name/data pairs that are stored inside of a registry key. This of this like the documents inside of a folder.
The registry can contain several types of values in it, so it can be more than just numbers or words. Here is a quick chart to cover those various items:
Type Name | Meaning |
---|---|
REG_NONE | No type (the stored value, if any) |
REG_SZ | A string value |
REG_EXPAND_SZ | An "expandable" string value that can contain environment variables |
REG_BINARY | Binary data |
REG_DWORD | a 32-bit unsigned integer |
REG_LINK | A symbolic link to another registry key |
REG_MULTI_SZ | A multi-string value, which is an ordered list of non-empty strings |
REG_RESOURCE_LIST | A resource list |
REG_QWORD | A 64-bit integer |
Regscout Modules
I want to introduce a tool that I have developed in order to extract important information from windows computers. I went with a modularized set of PowerShell scripts that are prepared to be used in a framework and currently set to be shipped back to an Elasticsearch instance for analysis.
Here is a list of the modules and a brief description as to what they were built for:
Modules | Description |
---|---|
ComputerInfo | List of several computer baseline items, processor info, system environment, RDP enabled, prefetch, paging, lastuser logged in. |
DownloadDocs | This will list all items that are asked for a prompt to open/save files (last 20 per extension) |
Enum | list of any device connected to a computer (USBs will be in this list) |
File Extensions | List of all Extensions and default apps assigned per user and program to open them |
Firewalls | List of all Firewall rules that are allowed on the host |
IEHistory | User Web Browsing History for Internet Explorer |
IESettings | User Internet Explorer settings |
InstalledPrograms | list of all programs that are installed (listed in the uninstall list) |
KnownDlls | List of trusted DLLs that have special treatment by the OS |
LanMan | list of share permissions and names of folders shared out to the network |
Last Visit | list of executables used by an application to open the files. Also lists the directory location for the last file that was accessed by that application |
Mounted Devices | This will gather all device that have been mounted on the system (HDD mainly), but will display the connection type, vendor and name |
Networks | This is a collection of network gathering for the host. Includes ip4, ip6, any wireless, and list of networks that have been connected to in the past, also NICs connected. (Anything network related) |
Office Server Cache | This is a list of office online locations that a user has accessed (most will be SharePoint) |
Printers | This is a list of all printers installed on a computer, not all printers will be added to a user |
Recent Apps | List of applications that were recently ran per user |
RecentDocs | This grabs all documents/types that have been opened (up to last 20 in an extension) |
Recycle Bypass | Main item here is the NukeonDelete (if this is set to 1 then recycle bin is not used) |
RunPrograms | This is list of everything typed into the run command |
Services | Services that are registered with the OS |
Shell Folders | Locations of users profile folders (Desktop, Documents, Start Menu, etc.) |
UserAssist | List of recent links and executable files that were recently opened per user |
UserPrinters | This will display the list of any printer that users have added under their profile |
UserList | List of users, sids, and locations |
UserShares | This will list out any and all shares that are setup by the user/system that the user will see. |
WordWheel | Any searches that are done in explorer |