The Registry Rundown

Thought you knew how the Windows Registry worked? We have some tricks up our sleave to abuse the Remote Registry for extended remote reconnaissance and moving laterally to other systems, even bypassing typical remote UAC restrictions to gain code execution.

The talk will cover the basics of the Windows Registry and its structure, including the different hives (e.g. HKLM, HKCU) and their purpose. We will then delve into the different ways the registry can be accessed, both locally and remotely.

Lots of informaton can be gathered from a remote system via the Remote Registry, such as installed software, configuration, and user activity. All using the privileges of a regular domain user without local administrator permission.

We will share some interesting findings that we came across that facilitate lateral movement via the registry (bypassing remote UAC). We also successfully used the Remote Registry service to bypass typical Citrix restrictions that normally don’t allow the user to login via RDP directly.