15 - Critical Registry Paths

Topics

1. Introduction to the Windows Shells

2. Windows Permissions

3. Reverse Shells in Windows

4. SeImpersonatePrivilege Exploitation

5. On Cross Compilation

6. Windows Services

7. Weak Service Permissions

8. Unquoted Service Path

9. DLL Hijacking

10. Always Install Elevated

11. Files with Sensitive Data

12. Windows Hashes

13. Stored Credentials and the Windows Vault

14. Scheduled Task

15. Critical Registry Paths

16. Useful Tools

17. AMSI Bypass

Registry Hives

The Windows registry is a hierarchical database used to store configuration settings and options. It is organized into hives, each containing multiple keys and values. These hives are critical for system operations and can serve as Indicators of Compromise (IOC) for malware analysis.

The main registry hives and their corresponding file locations are:

Hive Name	Abbreviation	File Path
HKEY_CLASSES_ROOT	HKCR	C:\Windows\System32\Config\Software
HKEY_LOCAL_MACHINE	HKLM	C:\Windows\System32\Config\SYSTEM
HKEY_USERS	HKU	C:\Windows\System32\Config\DEFAULT
HKEY_CURRENT_USER	HKCU	C:\Users\<UserName>\NTUSER.DAT
HKEY_CURRENT_CONFIG	HKCC	C:\Windows\System32\Config\SystemProfile

---

Critical Registry Paths

Certain registry paths can present security risks if misconfigured. These paths are commonly targeted for privilege escalation or persistence by attackers.

---

HKLM\SYSTEM\CurrentControlSet\Services

This registry path is used to configure services. By modifying the ImagePath value, attackers can hijack a service to execute malicious binaries.

Modify Service Binary Path:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\simpleService" -Name ImagePath -Value "C:\Users\Quickemu\Downloads\test.exe"
Restart-Service -Name simpleService

Relevant attack techniques include:

• Weak Service Permissions

• Unquoted Service Paths

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

This key specifies DLLs to be loaded into every user-mode process using the Windows GUI. It has historically been abused for DLL injection by malware.

Modify AppInit_DLLs:

# Enable AppInit_DLLs
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" -Name "LoadAppInit_DLLs" -Value 1

# Set DLLs to load
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" -Name "AppInit_DLLs" -Value "C:\Path\To\Library1.dll;C:\Path\To\Library2.dll"

---

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The Run key specifies programs to start automatically at login.

• HKLM: Affects all users. Requires admin privileges to modify.

• HKCU: Affects only the current user. Can be modified without admin privileges.

Modify Startup Applications:

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "TestProgram" -Value "C:\Users\Quickemu\Downloads\test.exe"

RunOnce Keys: Used for programs that should run only once after the next reboot.

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

---

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

This key configures logon behavior in Windows.

Common Values:

• Shell: Sets the default shell.

  Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell" -Value "cmd.exe"

• Userinit: Specifies the user initialization executable.

  Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Userinit" -Value "C:\Windows\system32\userinit.exe"

---

Other Resources

• Registry Hives Documentation: Microsoft Docs - Registry Hives

• The Windows Registry Adventure: Google Project Zero

• Mysteries of the Registry: Scorpio Software Blog

Disclaimer

❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!❗