-
Notifications
You must be signed in to change notification settings - Fork 82
Registry
Persistence
Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc.
SELECT Key, Value, Data
GROUP BY Key, Value, Data
https://ericzimmerman.github.io/#!index.md
look for any updates/deletions in the different hives around dates and times mentioned as being significant.
Unwritten transaction data that has not been yet written to the hive file on disk must be merged, otherwise important registry artifacts may be lost. RegistryExplorer is one tool that can be used to merge the transaction log with the relevant hive.
See Volatility plugin dumpregistry
The following keys can all be used to cause the system to run unwanted executables.
- SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
- SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
- SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
- SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
- SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
- SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
- SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
- SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Includes previously connected networks, domain names, intranet names, SSID's, gateway MAC addresses. Last connection time inferred by key modified date.
- SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged
- SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed
- SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache
- Services (AutoStart == 0x2: the service will start at boot time)
- SYSTEM\CurrentControlSet\Control\TimeZoneInformation
The following keys can all be used to cause the system to run unwanted executables.
- SYSTEM\CurrentControlSet\Control\Session Manager
Data includes vendor, product, version, unique ID, time, possibly serial number
- SYSTEM\CurrentControlSet\Enum\USBSTOR
- SYSTEM\CurrentControlSet\Enum\US
Windows Application Compatibility Database used by Windows to identify possible application compatibility challenges with executables. Tracks the executables file name, file size, last modified time, and in Windows XP the last update time.
Any executable run on the Windows system could be found in this key. Possibly determine the last time of execution or activity on the system. Windows XP contains at most 96 entries - LastUpdateTime is updated when the files are executed. Windows 7 contains at most 1,024 entries - LastUpdateTime does not exist on Win7 systems.
Windows XP
- SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatibility
Windows 7/8/10
- SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCach
Provides full path of the executable file that was run on the system and last execution date/time. BAM entries are updated when Windows boots.
- SYSTEM\CurrentControlSet\Services\bam\UserSettings{SID}
- SYSTEM\CurrentControlSet\Services\dam\UserSettings{SID}