Awesome
SharpReg
SharpReg is a simple code set to interact with the Remote Registry service API using the same SMB process as reg.exe, which uses TCP port 445. This code is compatible with Cobalt Strike.
Z:\>SharpReg.exe
[-] Usage:
--Query <Computer|local|hostname|ip> <KeyName|SOFTWARE\Microsoft\Policies> <ValueName|count|all|recurse|grep|ScriptBlockLogging> <SearchTeam|Grep() Only|E.g. "Google">
--Add <Computer|local|hostname|ip> <KeyName|SOFTWARE\Microsoft\Policies> <DataType|SZ|EXPAND_SZ|DWORD|QWORD|BINARY> <ValueName|YourValueName> <ValueData|YourValueData>
--Delete <Computer|local|hostname|ip> <KeyName|SOFTWARE\Microsoft\Policies> <ValueName|all|ScriptBlockLogging>
--Persist <Computer|local|hostname|ip> <ValueName|netsvcs>
Examples
Using the all function to walk each key -- its like a simple dir of each key.
Z:\jnqpblc\SharpReg\SharpReg\bin\Debug>SharpReg.exe --Query local \ all
\\BCD00000000
\\HARDWARE
\\SAM
\\SECURITY
\\SOFTWARE
\\SYSTEM
Z:\jnqpblc\SharpReg\SharpReg\bin\Debug>SharpReg.exe --Query local SYSTEM all
SYSTEM\ActivationBroker
SYSTEM\ControlSet001
SYSTEM\DriverDatabase
SYSTEM\HardwareConfig
SYSTEM\Input
SYSTEM\Keyboard Layout
SYSTEM\Maps
SYSTEM\MountedDevices
SYSTEM\ResourceManager
SYSTEM\ResourcePolicyStore
SYSTEM\RNG
SYSTEM\Select
SYSTEM\Setup
SYSTEM\Software
SYSTEM\WPA
SYSTEM\CurrentControlSet
Z:\jnqpblc\SharpReg\SharpReg\bin\Debug>SharpReg.exe --Query local SYSTEM\CurrentControlSet all
SYSTEM\CurrentControlSet\Control
SYSTEM\CurrentControlSet\Enum
SYSTEM\CurrentControlSet\Hardware Profiles
SYSTEM\CurrentControlSet\Policies
SYSTEM\CurrentControlSet\Services
SYSTEM\CurrentControlSet\Software
Counting the subkey names -- fails on keys with a space, atm
Z:\jnqpblc\SharpReg\SharpReg\bin\Debug>SharpReg.exe --Query local SYSTEM\CurrentControlSet\Services count
There are 636 subkeys under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.
[!] IOException: The specified registry key does not exist.
Recursively searching keys and values for a specific search term
Z:\jnqpblc\SharpReg\SharpReg\bin\Debug>SharpReg.exe --Query local SYSTEM\CurrentControlSet\Services grep Google
SYSTEM\CurrentControlSet\Services\GoogleChromeElevationService
SYSTEM\CurrentControlSet\Services\GoogleChromeElevationService
ImagePath REG_EXPANDSTRING "C:\Program Files\Google\Chrome\Application\80.0.3987.163\elevation_service.exe"
SYSTEM\CurrentControlSet\Services\GoogleChromeElevationService
DisplayName REG_STRING Google Chrome Elevation Service
SYSTEM\CurrentControlSet\Services\gupdate
ImagePath REG_EXPANDSTRING "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc
SYSTEM\CurrentControlSet\Services\gupdate
DisplayName REG_STRING Google Update Service (gupdate)
SYSTEM\CurrentControlSet\Services\gupdate
Description REG_STRING Keeps your Google software up to date. If this service is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This service uninstalls itself when there is no Google software using it.
SYSTEM\CurrentControlSet\Services\gupdatem
ImagePath REG_EXPANDSTRING "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc
SYSTEM\CurrentControlSet\Services\gupdatem
DisplayName REG_STRING Google Update Service (gupdatem)
SYSTEM\CurrentControlSet\Services\gupdatem
Description REG_STRING Keeps your Google software up to date. If this service is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This service uninstalls itself when there is no Google software using it.
Finding a specific binary on disk and getting the target value.
Z:\jnqpblc\SharpReg\SharpReg\bin\Debug>dir /s/b/a C:\Windows\calc.exe
C:\Windows\System32\calc.exe
C:\Windows\WinSxS\x86_microsoft-windows-calc_31bf3856ad364e35_10.0.14393.0_none_7b13d13279112b2e\calc.exe
Z:\jnqpblc\SharpReg\SharpReg\bin\Debug>SharpReg.exe --Query local SYSTEM\CurrentControlSet\Services\gupdatem ImagePath
ImagePath REG_EXPANDSTRING "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc
Overwriting the ImagePath of a service.
Z:\jnqpblc\SharpReg\SharpReg\bin\Debug>SharpReg.exe --Add local SYSTEM\CurrentControlSet\Services\gupdatem EXPAND_SZ ImagePath "C:\Windows\WinSxS\x86_microsoft-windows-calc_31bf3856ad364e35_10.0.14393.0_none_7b13d13279112b2e\calc.exe"
The add opetation of SYSTEM\CurrentControlSet\Services\gupdatem was successful.
Z:\jnqpblc\SharpReg\SharpReg\bin\Debug>SharpReg.exe --Query local SYSTEM\CurrentControlSet\Services\gupdatem ImagePath
ImagePath REG_EXPANDSTRING C:\Windows\WinSxS\x86_microsoft-windows-calc_31bf3856ad364e35_10.0.14393.0_none_7b13d13279112b2e\calc.exe
Restoring the previous value.
Z:\jnqpblc\SharpReg\SharpReg\bin\Debug>SharpReg.exe --Add local SYSTEM\CurrentControlSet\Services\gupdatem EXPAND_SZ ImagePath "\"C:\Program Files\Google\Update\GoogleUpdate.exe\" /medsvc"
The add opetation of SYSTEM\CurrentControlSet\Services\gupdatem was successful.
Z:\jnqpblc\SharpReg\SharpReg\bin\Debug>SharpReg.exe --Query local SYSTEM\CurrentControlSet\Services\gupdatem ImagePath
ImagePath REG_EXPANDSTRING "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc
Searching for DLLs...
Z:\jnqpblc\SharpReg\SharpReg\bin\Debug>SharpReg.exe --Query local System\CurrentControlSet\Control grep ".dll"
System\CurrentControlSet\Control\AppReadiness
DllName REG_EXPANDSTRING C:\Windows\system32\AppReadiness.dll
System\CurrentControlSet\Control\FileSystemUtilities
IfsUtilExtension REG_STRING ifsutilx.dll
System\CurrentControlSet\Control\Print
ConfigModule REG_STRING PrintConfig.dll
System\CurrentControlSet\Control\RetailDemo
DllName REG_EXPANDSTRING C:\Windows\system32\RDXService.dll
System\CurrentControlSet\Control\SecurityProviders
SecurityProviders REG_STRING credssp.dll
System\CurrentControlSet\Control\SrpExtensionConfig
ExtensionDll REG_EXPANDSTRING C:\Windows\system32\appidapi.dll
System\CurrentControlSet\Control\TimeZoneInformation
DaylightName REG_STRING @tzres.dll,-161
System\CurrentControlSet\Control\TimeZoneInformation
StandardName REG_STRING @tzres.dll,-162
System\CurrentControlSet\Control\WalletService
DllName REG_EXPANDSTRING C:\Windows\system32\walletservice.dll
System\CurrentControlSet\Control\WOW
KnownDLLs REG_STRING comm.drv commdlg.dll ctl3dv2.dll ddeml.dll keyboard.drv lanman.drv mmsystem.dll mouse.drv netapi.dll olecli.dll olesvr.dll pmspl.dll shell.dll sound.drv system.drv toolhelp.dll vga.drv wfwnet.drv win87em.dll winoldap.mod winsock.dll winspool.exe wowdeb.exe timer.drv compobj.dll storage.dll ole2.dll ole2disp.dll ole2nls.dll typelib.dll msvideo.dll avifile.dll msacm.dll mciavi.drv mciseq.drv mciwave.drv progman.exe avicap.dll mapi.dll
Hunting persistent spaces in svchosts.exe
Z:\jnqpblc\SharpReg\SharpReg\bin\Debug>SharpReg.exe --Persist local netsvcs
Empty Parking Spaces Within Svchost:
[+] FastUserSwitchingCompatibility
[+] Ias
[+] Nla
[+] Ntmssvc
[+] NWCWorkstation
[+] Nwsapagent
[+] SRService
[+] Wmi
[+] WmdmPmSp
[+] LogonHours
[+] PCAudit
[+] helpsvc
[+] uploadmgr
Unlocked Cars Owned By Svchost:
[+] CertPropSvc
[+] SCPolicySvc
[+] seclogon
[+] AppInfo
[+] msiscsi
[+] EapHost
[+] browser
[+] SessionEnv
[+] wercplsupport
[+] XblGameSave
[+] DcpSvc
[+] RetailDemo
[+] dmwappushservice
[+] BDESVC
[+] DmEnrollmentSvc
[+] DsmSvc
[+] NcaSvc
[+] XboxNetApiSvc
[+] lfsvc
[+] Irmon
[+] Rasauto
[+] Rasman
[+] Sharedaccess
[+] Tapisrv
[+] wuauserv
[+] BITS
[+] AppMgmt
[+] wisvc
[+] UsoSvc
[+] wlidsvc
[+] NetSetupSvc
[+] XblAuthManager
It's all about the ServiceDll. ;)