OrangeCon

The Registry Rundown
2024-09-05 , Main track

Thought you knew how the Windows Registry worked? We have some tricks up our sleave to abuse the Remote Registry for extended remote reconnaissance and moving laterally to other systems, even bypassing typical remote UAC restrictions to gain code execution.


The talk will cover the basics of the Windows Registry and its structure, including the different hives (e.g. HKLM, HKCU) and their purpose. We will then delve into the different ways the registry can be accessed, both locally and remotely.

Lots of informaton can be gathered from a remote system via the Remote Registry, such as installed software, configuration, and user activity. All using the privileges of a regular domain user without local administrator permission.

We will share some interesting findings that we came across that facilitate lateral movement via the registry (bypassing remote UAC). We also successfully used the Remote Registry service to bypass typical jumpbox restrictions that normally don’t allow the user to login via RDP directly.

Cedric loves solving offensive computer security puzzles, researching new attack vectors, and finding vulnerabilities in obscure technologies. At Outflank, he performs Red Teaming projects and works on the Outflank Security Tooling (OST).

Max is a Red Team operator and software developer at Outflank. He earned his Master’s degree in System and Network Engineering at the University of Amsterdam with a focus on network- and system security. Max has a background in security testing, software engineering, cloud environments and DevOps practices and he applies that knowledge building the Outflank Security Tooling (OST). He also has a keen interest in designing and hacking (embedded) hardware devices.