I bet the first thing you thought of when you read this title is the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run key which has been used by the bad guys for decades as a place to automatically start their malware when a user logs on. And that key is still used in attacks but today registry security goes way beyond the Run and RunOnce key. In this webinar we’ll look at many dark corners being exploited by the bad guys for activating their malware after system reboots.
Since the registry is where practically all configuration settings reside for Windows and because permissions are not always perfect, we’ve also seen over the years ways to “dumb down” specific Windows security features by modifying unprotected registry keys.
But the bad guys also find ways to exploit the registry for privilege elevation. We’ll look at past examples (now patched) of this and discuss why we’ll continue to see this. And I’ll show you how certain registry keys have been used to support DLL injection.
The most recent way bad guys leverage the registry is as a storage location for their code as one way of going “file-less”. The Windows Registry is great for this purpose because it’s practically a parallel file system unique to Windows. You can store any kind of information in the registry from text to binary and while we are most familiar with storing small scalar values in the registry, a single registry value can store megabytes of data – even registry names can be up to 16k!
In this webinar I’ll show you:
- Where to find up-to-date and complete lists of registry keys used for persistence – the list keeps growing as years go by
- Utilities for monitoring the registry
- How to use Windows Auditing and the Security Log to monitor the registry
- How bad guys hide code in the registry
- Ways bad guys have elevated their privileges via vulnerable registry keys
- How bad guys have injected malicious DLLs into legitimate processes via other registry keys
There’s not much you can do in terms of preventing these attacks through stronger registry key permissions without breaking the system. So, it largely comes down to monitoring. Our sponsor for this real training for free event is Netwrix and Jeff Melnick will show you how Netwrix Auditor makes it easy to monitor for registry based attacks but also how registry auditing is a tiny fraction of the depth and breadth of visibility Netwrix Auditor provides.
Please join us for this real training for free session.