Lateral Movement with Remote Registry

05.06.2024 ยท dadevel

Lateral Movement by using MS-RRP to modify the Registry, e.g. write to one of the Run keys.

By default the remote registry service starts on demand on servers and is disabled on desktops since Windows 10. If the service is not disabled the start can be triggered as unprivileged user (source). Otherwise you will get OBJECT_NAME_NOT_FOUND and need local admin rights to reenable it.

Once the service is running it is possible to read and write the HKCU hive as unprivileged user (source), but only if the target user is currently logged in on the target computer (source). Otherwise you will get FILE_NOT_FOUND.

impacket-reg jdoe:'passw0rd'@ws01.corp.local query -keyName 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce'
impacket-reg jdoe:'passw0rd'@ws01.corp.local add -keyName 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce' -v Backdoor -vt REG_SZ -vd 'calc.exe'