Adventures in Powershell for IR
So, I wanted to access locked registry hives. Simple enough using F-Response, but it devolves into various solutions that are not well supported after that. I came across one solution that was of particular interest from a response side but also from an attack side:
In short, it opens a read handle to the C volume, parses the NTFS structures, and reads the files directly thus bypassing all access controls and locks. You do need to be local admin to run it.
This is great for getting locked registry hives, or for remotely copying NTDS.dit without deploying hacker tools on the remote system. Bear in mind that the remote system needs to be running the WS-Management service. This is not running by default on our Windows 7 desktops, but the author mentioned that it is running by default on Windows Server 2012.
There are a number of niggling issues with getting PowerShell scripts to run. This article covers almost all of them nicely: Execution Policy
However, it didn’t cover one issue – what happens when you try to do:
and get a registry access error?
This post explains how to edit the registry directly.
Once you’ve worked your way through those issues, you can grab local and remote files to your heart’s content.