RegistryStrikesBack allows a red team operator to export valid .reg files for portions of the Windows Registry via a .NET assembly that should run as a standard user. It can be useful in exfiltrating config files such as to support actions like are described in the "Segmentation Vault" article on the MDSec Blog.
This is not yet fully implemented, its a best effort and it does not yet support all datatypes and may lead to some unexpected results. However, it did function for the use cases required.
RegistryStrikesBack.exe <key> [output file path]
Export OneDrive Registry Keys to file in .reg format
RegistryStrikesBack.exe HKCU\Software\Microsoft\OneDrive C:\ProgramData\OneDriveBusiness.reg
Export OneDrive Registry Keys to console in .reg format
RegistryStrikesBack.exe HKCU\Software\Microsoft\OneDrive
- David Middlehurst, MDSec ActiveBreach - Twitter- @dtmsecurity
- PowerShell Implementation https://franckrichard.blogspot.com/2010/12/generate-reg-regedit-export-to-file.html