PowerShell for Registry Analysis

-

Detailed Overview:

PowerShell for Registry Analysis

Modifying the registry can lead to significant system instability or data loss if not handled properly. Always back up your registry before making changes. For more information, refer to these Microsoft guidelines:

- [Windows Registry Advanced Users Guide](https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/windows-registry-advanced-users)

- [How to Backup and Restore the Registry](https://support.microsoft.com/en-us/topic/how-to-back-up-and-restore-the-registry-in-windows-855140ad-e318-2a13-2829-d428a2ab0692)

Registry Query Using PowerShell

The Windows Registry stores settings and options for both the operating system and installed software. You can use PowerShell to query and manipulate these registry keys.

Example 1: Query Programs in the Run Key

To list programs that are configured to run automatically upon login, use the following command:

```powershell

Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

```

Explanation:

- HKLM refers to HKEY_LOCAL_MACHINE, a registry hive containing system-wide settings.

- The Run key stores values for programs that run when the system starts or a user logs in.

Example 2: Query Programs in the RunOnce Key

This key stores values for programs that should only run once during the next startup.

```powershell

Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"

```

You can use the same command for HKCU (HKEY_CURRENT_USER) to inspect the Run and RunOnce registry keys for the current user:

```powershell

Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"

```

The HKCU key specifically contains registry values for the currently logged-in user.

Registry Startup Keys

Autostart Extensibility Points (ASEPs) are used to define programs that execute at system startup or user login. They are commonly targeted by attackers to maintain persistence on a compromised system.

Here are the four main keys where startup processes are defined:

1. HKLM\Software\Microsoft\Windows\CurrentVersion\Run  

   Programs listed here are executed at every system startup, for all users.

2. HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce  

   Programs listed here are executed only once, the next time the system starts.

3. HKCU\Software\Microsoft\Windows\CurrentVersion\Run  

   Programs listed here are executed at every login for the current user.

4. HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce  

   Programs listed here are executed once at the next login of the current user.

Working with the PowerShell Registry Provider

PowerShell provides access to the Registry via a drive, allowing you to navigate registry keys just like file system directories. You can list, view, and modify registry keys with ease.

Example 3: Listing Items in the HKCU Hive

To explore the HKCU registry hive (HKEY_CURRENT_USER), use:

```powershell

Get-ChildItem HKCU:

```

This will display all the subkeys and values under HKEY_CURRENT_USER, with columns for Name (key names) and Property (registry values).

Example 4: Viewing Properties in Registry Keys

To view the properties (values) of a registry key, run:

```powershell

Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"

```

This will show the programs set to run at startup for the current user.

Investigating and Removing Malicious Registry Keys

If you suspect that your system is infected, you can use PowerShell to look for and remove malicious entries from these registry keys.

Example 5: Checking for Malicious Programs

Use the following commands to examine both Run and RunOnce keys for unusual entries (e.g., a suspicious program named Calcache):

```powershell

Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"

Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"

```

If you find Calcache or another suspicious entry, the next step is to remove it.

Example 6: Removing a Malicious Registry Entry

To remove the Calcache entry from the Run registry key:

```powershell

Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "Calcache"

```

Running this command will remove the registry value associated with the malicious program.

Example 7: Verifying Removal

After removal, you can verify that the entry no longer exists by attempting to retrieve it:

```powershell

Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\Calcache"

```

This will return an error if the entry no longer exists, confirming it was successfully removed.

PowerShell Commands for Registry Management

Here are some additional PowerShell commands for working with the Registry:

List all registry items under a specific key:

```powershell

Get-ChildItem -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"

```

Get detailed properties of a specific registry key:

```powershell

Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"

```

Add a new registry value:

```powershell

Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "NewProgram" -Value "C:\Program Files\NewProgram.exe"

```

Remove a registry value:

```powershell

Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "NewProgram"

```

Create a new registry key:

```powershell

New-Item -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion" -Name "NewKey"

```

Additional Resources

For more information on persistence techniques and autostart registry keys, refer to the MITRE ATT&CK framework:

- [T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](https://attack.mitre.org/techniques/T1547/001/)

This page provides details on the attack technique of manipulating startup keys in the Windows Registry to maintain persistence on a system.

Comments

Post a Comment

Popular posts from this blog

Common Network Commands: Ping

-
Ping Command Overview The `ping` command is a fundamental utility used in network diagnostics. It checks the reachability of a host on an Internet Protocol (IP) network and measures the round-trip time for messages sent from the originating host to a destination computer. The command uses the Internet Control Message Protocol (ICMP) to send echo request packets and listens for echo replies. Origin and Development The `ping` command was developed in 1983 by Mike Muuss as a diagnostic tool for the ARPANET. Since then, it has become a standard utility available on most operating systems, including Linux, Windows, and macOS, making it an essential tool for network administrators and users. Basic Functionality The `ping` command serves several functions: - Tests connectivity to a specified host. - Measures the time taken for packets to travel to the destination and back. - Provides statistics about packet loss and round-trip time. Key Command Syntax 1. Basic Syntax:    ```   ...
Read more

Common Network Commands: Route

-
Route Command Overview The route command is a part of the older net-tools package used in Linux systems for viewing and manipulating the IP routing table. It provides information about how packets are routed through the network and allows for the addition, deletion, and modification of routes. Origin and Development Historically, the route command has been a primary tool for managing network routing in Linux. However, it has largely been replaced by the ip command from the iproute2 package, which offers more advanced features and capabilities. Despite this, route is still commonly used in many Linux distributions for its simplicity and familiarity. Basic Functionality The route command serves several functions: - Displays the current routing table entries. - Shows destination networks, gateways, and associated interfaces. - Allows for the addition, deletion, and modification of routes. Key Command Syntax 1. Display Routing Table:    ```    route -n    ``` ...
Read more

Common Network Commands: IP R

-
IP R Command Overview The `ip r` command is part of the `iproute2` package in Linux systems. It is used for displaying and manipulating the routing table, which determines how network packets are directed to their destinations. This command is vital for network configuration, management, and troubleshooting. Origin and Development The `iproute2` package was created to replace the older `net-tools` package, which included commands like `ifconfig` and `route`. The `ip` command provides a more unified interface for network management, supporting advanced features and modern networking protocols. It offers better capabilities for managing complex networking scenarios, making it a crucial tool for system and network administrators. Basic Functionality The `ip r` command serves several functions: - Displays current routing table entries. - Shows destination networks, gateways, and associated interfaces. - Allows for the addition, deletion, and modification of routes. Key Command Syntax 1. Di...
Read more