![]() ![]() Microsoft online services employ audit logging to detect unauthorized activities and provide accountability for Microsoft personnel. We’ll call the column we are creating sid.Feedback In this article How do Microsoft online services employ audit logging? Then, we need to map this to the user table, on the uuid field. Therefore, we will use split(path, ‘\’, 1), to obtain the first value located between backslashes in path. In this case, we want the first value, returned after a backslash, to be its own column. The registry, like many things in Windows, is separated by backslashes. Split allows us to specify that a column be separated, and to create a new column with only that part of the value. Osquery supports SQL additions, including split. ![]() ![]() So while the registry table doesn’t have a column with the SID, the path column does contain the SID. The SID is exactly what is used to separate users in the registry. Generic accounts and groups on Windows have the same SID on every installation, but each account created has a random SID. If you are not familiar with SIDs, they are unique identifiers for users, groups and logon sessions. The users table contains none of these, but contains uuid, which, on Windows, returns the SID(Security Identifier). The registry table contains: key, path, name, type, data, mtime To join tables, we need a row with common data. The results are there, but, as someone trying to understand what user is impacted by what setting, they are not very readable.įortunately, using SQL, we can easily join tables together, and the users table contains the data we are looking for. ![]() This query returns the Sticky Keys configuration values found for every user. Unless a user needs sticky keys, that value should actually be set to 506, to prevent abuse to elevate privileges, as it is the value that gets written when sticky keys are disabled completely. WHERE key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft Services\AdmPwd' Osquery allows us to query the registry for those values very easily.įor example, this query returns the settings related to Microsoft LAPS. GPOs are usually just a way to get a set of specific values configured in the registry. Let’s consider GPOs, which most organizations with a Windows environment and Domain use. Fortunately, osquery solves that for us.Ī central, hierarchical database used in Windows 98, Windows CE, Windows NT, and Windows 2000 used to store information that is necessary to configure the system for one or more users, applications, and hardware devices, the Windows Registry can be used by the kernel, device drivers, services, Security Accounts Manager, and user interfaces.Īs the Windows Registry is a database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry, it functions as a repository resource of information that Windows continually references during operation. This is something that is not always easy to do with standard tools in Windows, or with the right level of performance. Attackers look to find specific configurations, credentials, or any information that can help them further attack systems, while defenders can use the registry to ensure that settings are configured as they are expected to. The Windows registry is full of information, and with the proper tools, can be a gold mine for attackers and defenders alike. ![]()
0 Comments
Leave a Reply. |