Skip to content

Instantly share code, notes, and snippets.

@Cyb3rWard0g

Cyb3rWard0g/seatbelt_registry_basic_exploration.txt

Last active November 2, 2020 20:03
Show Gist options
  • Save Cyb3rWard0g/028805262130f4ac5ac2de73625dfb12 to your computer and use it in GitHub Desktop.
Save Cyb3rWard0g/028805262130f4ac5ac2de73625dfb12 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. Cyb3rWard0g revised this gist Nov 2, 2020. 1 changed file with 10 additions and 6 deletions.
    16 changes: 10 additions & 6 deletions seatbelt_registry_basic_exploration.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -70,13 +70,14 @@ SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "AltDefaultUserName"
    SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "AltDefaultPassword"
    Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"
    Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"
    SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "ConsentPromptBehaviorAdmin"
    Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey"
    Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\"
    SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "ConsentPromptBehaviorAdmin"
    SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA"
    SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "LocalAccountTokenFilterPolicy"
    SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "FilterAdministratorToken"
    SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths"
    SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes"
    SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions"
    SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "LocalAccountTokenFilterPolicy"
    SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "FilterAdministratorToken"
    SOFTWARE\Microsoft\Windows Defender\"
    SOFTWARE\Policies\Microsoft\Windows Defender\"
    SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce"
    SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run"
    @@ -94,6 +95,9 @@ Software\\Policies\\Microsoft\\Windows\\SrpV2\\{key}\\{id}", "Value"
    SOFTWARE\Microsoft\AMSI\Providers"
    SOFTWARE\\Classes\\CLSID\\{provider}\\InprocServer32", ""
    Software\\Policies\\Microsoft\\Windows\\EventLog\\EventForwarding\\SubscriptionManager"
    Software\Policies\Microsoft\Windows\CredentialsDelegation"
    SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "AuthenticationLevel"
    SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
    SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0"
    SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History"
    SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\\{extension}"
  2. Cyb3rWard0g revised this gist May 27, 2020. 1 changed file with 6 additions and 6 deletions.
    12 changes: 6 additions & 6 deletions seatbelt_registry_basic_exploration.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -1,3 +1,6 @@
    SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe", ""
    SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLs"
    SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLsTime"
    Software\\Policies\\Microsoft Services\\AdmPwd", "AdmPwdEnabled"
    Software\\Policies\\Microsoft Services\\AdmPwd", "AdminAccountName"
    Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordComplexity"
    @@ -21,9 +24,8 @@ SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters", "Options"
    SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters", "Rules"
    SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\", @"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe", ""
    SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLs"
    SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLsTime"
    SOFTWARE\Microsoft\AMSI\Providers"
    SOFTWARE\\Classes\\CLSID\\{provider}\\InprocServer32", ""
    Software\\Microsoft\\Windows NT\\CurrentVersion", "ProductName"
    Software\\Microsoft\\Windows NT\\CurrentVersion", "EditionID"
    Software\\Microsoft\\Windows NT\\CurrentVersion", "ReleaseId"
    @@ -117,6 +119,4 @@ Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit"
    SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5", "Version"
    SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full", "Version"
    SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy"
    SOFTWARE\Policies\Microsoft\WindowsFirewall", @"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy"
    SOFTWARE\Microsoft\AMSI\Providers"
    SOFTWARE\\Classes\\CLSID\\{provider}\\InprocServer32", ""
    SOFTWARE\Policies\Microsoft\WindowsFirewall", @"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy"
  3. Cyb3rWard0g created this gist May 27, 2020.
    122 changes: 122 additions & 0 deletions seatbelt_registry_basic_exploration.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,122 @@
    Software\\Policies\\Microsoft Services\\AdmPwd", "AdmPwdEnabled"
    Software\\Policies\\Microsoft Services\\AdmPwd", "AdminAccountName"
    Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordComplexity"
    Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordLength"
    Software\\Policies\\Microsoft Services\\AdmPwd", "PwdExpirationProtectionEnabled"
    SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU", "UseWUServer"
    SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "WUServer"
    SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "UpdateServiceUrlAlternate"
    SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "WUStatusServer"
    SOFTWARE\Microsoft\CCMSetup", "LastValidMP"
    SOFTWARE\Microsoft\SMS\Mobile Client", "AssignedSiteCode"
    SOFTWARE\Microsoft\SMS\Mobile Client", "ProductVersion"
    SOFTWARE\Microsoft\SMS\Mobile Client", "LastSuccessfulInstallParams"
    Software\\SimonTatham\\PuTTY\\Sessions\\"
    Software\\SimonTatham\\PuTTY\\Sessions\\{sessionName}"
    Software\\SimonTatham\\PuTTY\\SshHostKeys\\"
    Software\\Microsoft\\Office"
    Software\\Microsoft\\Office\\{version}"
    SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters", "HashingAlgorithm"
    SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters", "Options"
    SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters", "Rules"
    SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\", @"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe", ""
    SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLs"
    SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLsTime"
    Software\\Microsoft\\Windows NT\\CurrentVersion", "ProductName"
    Software\\Microsoft\\Windows NT\\CurrentVersion", "EditionID"
    Software\\Microsoft\\Windows NT\\CurrentVersion", "ReleaseId"
    Software\\Microsoft\\Windows NT\\CurrentVersion", "BuildBranch"
    Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentMajorVersionNumber"
    Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentVersion"
    Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentBuildNumber"
    Software\\Microsoft\\Windows NT\\CurrentVersion", "UBR"
    SOFTWARE\\Microsoft\\Cryptography", "MachineGuid"
    SYSTEM\\CurrentControlSet\\Control\\Lsa"
    SOFTWARE\\Microsoft\\PowerShell\\1\\PowerShellEngine", "PowerShellVersion"
    SOFTWARE\\Microsoft\\PowerShell\\3\\PowerShellEngine", "PowerShellVersion"
    SOFTWARE\Microsoft\PowerShellCore\InstalledVersions\"
    SOFTWARE\Microsoft\PowerShellCore\InstalledVersions\" + key, "SemanticVersion"
    SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription", "EnableTranscripting") == "1"
    SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription", "EnableInvocationHeader") == "1"
    SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription", "OutputDirectory"
    SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging", "EnableModuleLogging") == "1"
    SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames"
    SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging", "EnableScriptBlockLogging") == "1"
    SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging"
    SYSTEM\\CurrentControlSet\\Services\\{serviceName}\\Parameters", "ServiceDll"
    SYSTEM\\CurrentControlSet\\Services\\{serviceName}", "ServiceDll"
    SYSTEM\\CurrentControlSet\\Services\\{serviceName}", "ImagePath"
    SYSTEM\\ControlSet001\\Control\\Windows", "ShutdownTime"
    SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU"
    Software\\Microsoft\\Terminal Server Client\\Servers"
    Software\\Microsoft\\Terminal Server Client\\Servers\\{host}", "UsernameHint"
    SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\"
    SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles\\{profileGUID}", "ProfileName"
    SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles\\{profileGUID}", "Description"
    SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles\\{profileGUID}", "Category"
    SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles\\{profileGUID}", "NameType"
    SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles\\{profileGUID}", "Managed"
    SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles\\{profileGUID}", "DateCreated"
    SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles\\{profileGUID}", "DateCreated"
    SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "DefaultDomainName"
    SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "DefaultUserName"
    SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "DefaultPassword"
    SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "AltDefaultDomainName"
    SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "AltDefaultUserName"
    SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "AltDefaultPassword"
    Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"
    Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"
    SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "ConsentPromptBehaviorAdmin"
    SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA"
    SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "LocalAccountTokenFilterPolicy"
    SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "FilterAdministratorToken"
    SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths"
    SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes"
    SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions"
    SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce"
    SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run"
    SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce"
    SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunService"
    SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceService"
    SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunService"
    SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceService"
    SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment"
    SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN\\Plugin\\{plugin}", "ConfigXML"
    Software\\Policies\\Microsoft\\Windows\\SrpV2"
    Software\\Policies\\Microsoft\\Windows\\SrpV2\\{key}", "EnforcementMode"
    Software\\Policies\\Microsoft\\Windows\\SrpV2\\"
    Software\\Policies\\Microsoft\\Windows\\SrpV2\\{key}\\{id}", "Value"
    SOFTWARE\Microsoft\AMSI\Providers"
    SOFTWARE\\Classes\\CLSID\\{provider}\\InprocServer32", ""
    Software\\Policies\\Microsoft\\Windows\\EventLog\\EventForwarding\\SubscriptionManager"
    SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0"
    SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History"
    SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\\{extension}"
    System\CurrentControlSet\Control\Lsa", "LmCompatibilityLevel"
    System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "RequireSecuritySignature"
    System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnableSecuritySignature"
    System\CurrentControlSet\Services\LanManServer\Parameters", "RequireSecuritySignature"
    System\CurrentControlSet\Services\LanManServer\Parameters", "EnableSecuritySignature"
    System\CurrentControlSet\Control\LSA", "SuppressExtendedProtection"
    System\CurrentControlSet\Services\LDAP", "LDAPClientIntegrity"
    System\CurrentControlSet\Services\NTDS\Parameters", "LDAPServerIntegrity"
    System\CurrentControlSet\Services\NTDS\Parameters", "LdapEnforceChannelBinding"
    SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0", "NtlmMinClientSec"
    SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0", "NtlmMinServerSec"
    System\CurrentControlSet\Services\Netlogon\Parameters", "RestrictNTLMInDomain"
    System\CurrentControlSet\Services\Netlogon\Parameters", "DCAllowedNTLMServers"
    System\CurrentControlSet\Services\Netlogon\Parameters", "AuditNTLMInDomain"
    System\CurrentControlSet\Control\Lsa\MSV1_0", "RestrictReceivingNTLMTraffic"
    System\CurrentControlSet\Control\Lsa\MSV1_0", "RestrictSendingNTLMTraffic"
    System\CurrentControlSet\Control\Lsa\MSV1_0", "AuditReceivingNTLMTraffic"
    System\CurrentControlSet\Control\Lsa\MSV1_0", "ClientAllowedNTLMServers"
    Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit"
    SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5", "Version"
    SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full", "Version"
    SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy"
    SOFTWARE\Policies\Microsoft\WindowsFirewall", @"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy"
    SOFTWARE\Microsoft\AMSI\Providers"
    SOFTWARE\\Classes\\CLSID\\{provider}\\InprocServer32", ""