The third release of the free CrowdResponse incident response collection tool is now available! This time around we are including plugins facilitating collection of Windows registry data. Our inspiration for this release was one of those vulnerabilities that just won’t die, Windows Sticky Keys, and we’ll show how to identify this attack while demonstrating the new additions.
RegDump recursively extracts Windows registry key and value data.
-d Nested output format
-s Recursive dump
<reg key> Registry key to start dump from
Valid registry hive names are: HKLM, HKCU, HKCR, HKU, and HKAU (pseudo key representing all users)
RegFile searches for registry string values (REG_SZ and REG_EXPAND_SZ) and identifies file path data. If the file exists on disk, file information, hash, and digital signature details are recorded. Continue Reading…