Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding the registry read hive command #1559

Merged
merged 4 commits into from
Jan 17, 2024
Merged

Adding the registry read hive command #1559

merged 4 commits into from
Jan 17, 2024

Conversation

RafBishopFox
Copy link
Collaborator

This PR adds the registry read hive command. It allows an operator to dump the contents of a registry hive to a binary file. The typical use case for this would be for dumping the SAM, SECURITY, and SYSTEM hives for use with a tool like secretsdump.

To dump the SAM hive for example, the command would look like this:

registry read hive -s SAM.save SAM

The command defaults to starting from HKLM. To dump SAM, SECURITY, and SYSTEM, Sliver has to be running with or be able to get the SeBackupPrivilege privilege and be running with High integrity. The command supports looting the resulting hive dump.

@RafBishopFox RafBishopFox requested a review from a team as a code owner January 17, 2024 16:08
lesnuages
lesnuages suggested changes Jan 17, 2024
View reviewed changes
Copy link
Contributor

@lesnuages lesnuages left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small changes to make, otherwise looks good.

@RafBishopFox RafBishopFox marked this pull request as draft January 17, 2024 17:11
@RafBishopFox RafBishopFox marked this pull request as ready for review January 17, 2024 17:19
@RafBishopFox RafBishopFox marked this pull request as draft January 17, 2024 17:21
@RafBishopFox
registry read hive: removing support for running the command against …
c9f5f0b 
…a remote host due to limitations in the RegSaveKeyW API call
@RafBishopFox RafBishopFox marked this pull request as ready for review January 17, 2024 17:31
@RafBishopFox
Copy link
Collaborator Author

RafBishopFox commented Jan 17, 2024
edited
Loading

I had to remove support for running this command against a remote system because if you pass a remote key to RegSaveKeyW, it will save the dump file on the remote computer. That means we would have to build in functionality to retrieve and delete the file remotely. If we want to go down that route, I could work on adding that back in, but it would add a lot of complexity.

@rkervella
Copy link
Member

Yeah no problem on focusing on the local host.

@rkervella rkervella merged commit d9db575 into master Jan 17, 2024
5 checks passed
@RafBishopFox RafBishopFox deleted the windows-dumpkey branch January 18, 2024 11:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lesnuages lesnuages lesnuages requested changes

@rkervella rkervella rkervella approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@RafBishopFox @rkervella @lesnuages