Registry Analysis - The "Why"

Why is Registry analysis important?

The Windows Registry, in part, controls a good bit of the functionality of a Windows system. As such, Registry analysis can help you understand why you’re seeing something, or why you’re not seeing something, as the case may be.

For example, Registry “settings” (i.e., keys, values, or combinations) can be/have been used to disable Windows Event Logs, enable or disable auditing (the content that goes into the Windows Event Log), disable access to security tools, enable or disable other functionality on Windows systems, etc. The Registry can be used to enable or disable application prefetching, which produces artifacts very commonly used by forensic analysts and incident responders.

Most analysts are aware that, particularly with respect to the file system, something “deleted” isn’t always “gone”. This is true for files, but even more so for records (elements with a file), and it’s also true for the Registry. However, the Registry can be used to disable functionality the prevents activity from being recorded in the first place. As such, the records are never actually generated, and therefore, cannot be recovered. This is an important distinction to make, as over the past decade and a half, we’ve seen threat actors actively modify systems within an infrastructure to suit their own needs. For example, disabling or removing security tools, modifying operating system capabilities, and enabling or disabling functionality; whether manually or via a batch file (or some other means), many of these modifications manifest themselves as changes in the Registry. 

Case in point; in the spring of 2019, I was working with incident responders to track activities associated with the Ryuk ransomware group. Looking back to Sept, 2018, we’d seen where the actors had run mimikatz, and then within seconds, moved laterally. Closer examination showed that the actor had modified the Registry so that the operating system would maintain credentials in memory in plain text 6 to 9 days prior to running mimikatz. That way, they didn’t have to copy the hashes so that they could crack them; the credentials were already in plain text, so all they had to do was choose the account with the highest level of privileges and move to subsequent systems. This is just one example of how threat actors have modified systems within a compromised infrastructure to meet their needs.

User Activity
In addition to “current state” configuration settings, the Registry “tracks” or maintains a history of activity on the system; updates, upgrades, devices connected, etc. This is also true for user actions; files opened or interacted with, applications launched, WiFi networks connected to, etc.

There used to be a few law enforcement officers who’d contact with me with questions; “used to” because they’ve since retired. One in particular had worked out a process with me, where she’d share an NTUSER.DAT from an active case and I’d process the hive and give her a comprehensive, detailed list of files interacted with by the user. I’d include applications used, and if applicable, dates and times of the interactions. I’d provide her with a complete description of how this information was found, so that she could replicate my findings so that she could testify (if necessary). She’d then tie the file paths and names to specific files and content, and take that to the pre-trial conference, and very often, she’d end up with a plea agreement.

In 2005, Cory Altheide and I published the first paper to address tracking USB devices across Windows systems. At the time, we were working with Windows XP, and since then, the Windows operating system has grown considerably in the records generated when USB devices are connected, as well as differentiating between various protocols. For example, connecting a smartphone or digital camera to a Windows computer via a USB cable appears in a different manner from a USB thumb drive. Of course, this doesn’t cover devices connected via Bluetooth. 

“Proof of Life”, Intent, Sophistication
Information derived from analysis of the Windows Registry can be leveraged to demonstrate “liveness”, or to put a suspect “behind the keyboard”. In addition, the totality of information derived from Registry analysis can be used to further the understanding of a user or threat actor’s intent (what they’re after) and their level of sophistication. For example, Registry analysis can show use that the threat actor added an account to a system as a means of persistence, and then added the account to different groups so that the account could be used to access the system remotely via RDP. From there, we can see if the icon for the account was hidden from the Welcome Screen, as well as if additional means of persistence were added.

Also, the timing between the various modifications we observe, in addition to the modifications themselves, can be leveraged to determine attribution. We have observed, for example, some threat actors making use of batch files or VBS scripts to make Registry modifications, either directly via reg.exe, or indirectly via other native tools such as sc.exe, or schtasks.exe. The timing of the modifications, in relation to other modifications and system impacts, can be used to establish attribution; was this truly the threat group we suspect it to be, or someone else? Or, do the observables indicate an evolution of capabilities of the threat group?

We’ve also seen how RaaS providers embed dozens of preemptive commands in the executables they provide; in the spring of 2020, one RaaS sample contained 156 embedded commands to disable Windows services, via sc.exe and other means. Looking at the timing of the modifications that actually took effect (not all services may be active on the impacted system) alongside files being encrypted provides insight into attribution.

Registry Analysis
Registry analysis is not a stagnant thing. That is to say that you don’t reach a point where you’re “done”, and don’t have to go any further. You don’t just reach a point in, say, 2018 where you say, “I’m done” and don’t continue to evolve your analysis. This is due to the fact that, even in a corporate environment, it’s extremely difficult to find two systems that are the same; that is, system “loads” or configurations (base operating system, applications, configurations, etc.) are often very different. As a DFIR consultant, I would encounter different basic loads and configurations with every client, and even within that client, systems had different applications installed (in part, due to mergers and acquisitions), were configured differently, etc. Even when there was a “common load”, where every system was supposed to have some common configuration, they weren’t; often times, the version of the application would be a rev or two behind others, hadn’t been updated in some time, etc.

Also, analysis goals very often differ; what you’re looking to prove or disprove will vary depending upon your investigative goals. Are you dealing with a malware infection, a data breach, an insider threat, corporate espionage, access to illicit images or materials, or something else entirely?

Article Link: Windows Incident Response: Registry Analysis - The "Why"