Skip to content

mdsecactivebreach/RegistryStrikesBack

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

RegistryStrikesBack

RegistryStrikesBack allows a red team operator to export valid .reg files for portions of the Windows Registry via a .NET assembly that should run as a standard user. It can be useful in exfiltrating config files such as to support actions like are described in the "Segmentation Vault" article on the MDSec Blog.

Note

This is not yet fully implemented, its a best effort and it does not yet support all datatypes and may lead to some unexpected results. However, it did function for the use cases required.

Usage

RegistryStrikesBack.exe <key> [output file path]

Export OneDrive Registry Keys to file in .reg format

RegistryStrikesBack.exe HKCU\Software\Microsoft\OneDrive C:\ProgramData\OneDriveBusiness.reg

Export OneDrive Registry Keys to console in .reg format

RegistryStrikesBack.exe HKCU\Software\Microsoft\OneDrive

Author

  • David Middlehurst, MDSec ActiveBreach - Twitter- @dtmsecurity

Acknowledgments

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages