Malicious [.reg] Files

The Problem

Criminals and red teams have been known to use .hta, .vbs, .vbe, .js, .jse, .html, .bat, .cmd files to break into a computer/network. However, you don't hear too much about [.reg] files, which will be interpreted by RegEdit to make changes to the registry. On a default installation of Windows, the user does not need special admin privileges to add keys to HKCU\Software\Microsoft\Windows\CurrentVersion\Run. So, if they receive an email and are tricked into running the [.reg] file, they could be adding an 'evil' key. Currently, gmail is not blocking these files by default. You may want to check your email provider / gateway!
Here is an example of what a malicious [.reg] key might look like.. this one just launches calc. 
"Malicious" Reg Key, Adds key that will run calc.exe via mshta.exe when the victim logs in 


You can monitor this activity with Windows Event ID 4688 where the command line details for the event contain "regedit.exe" and endswith ".reg". Additionally, you can always monitor runkeys by enabling the "object access" policy or using a tool such as sysmon. Also, you should always monitor events created by mshta; wscript; cscript; regsvr32.exe and scrobj.dll as these (incomplete list I'm sure) can be used to create persistence in run keys. 

Adam Swan / @acalarch
Nate Guagenti / @neu5ron

No comments:

Post a Comment