Deceiving Bloodhound - Remote Registry Session Spoofing

Hello Everyone! Today we’re back with another blog post in the Deception in Depth series. Recently, I’ve found a new way to spoof user sessions using Windows’ Remote Registry feature.

This article discusses a new method of spoofing user sessions using Windows' Remote Registry feature. It explains how SharpHound performs Session Enumeration, which is done via Win32 API calls and is moderately accurate. It then looks into the past and explains how the CreateProcessWithLogonW Win32 API can be used to create an artificial SMB session.

The new method leverages Windows' Remote Registry and involves loading an inactive NTUSER.DAT file from another user's account into the registry. The article explains how to do this using the reg load and reg unload commands, and how to start the Remote Registry service. It also explains how to disable the Firewall, as the Remote Registry service is filtered by default.

The article then explains how an attacker can use BloodHound to collect session data and search for paths to Domain Admin. It also introduces Honey Sessions, a Python script written by the author and @LIKEROFJAZZ which automatically drops a NTUSER.DAT file to disk and randomly selects a Domain Admin session to inject.

The article concludes by explaining how to run HoneySessions.exe as an Administrator, and how to use BloodHound.py to load the data into BloodHound. It also encourages readers to reach out to the author on Twitter or LinkedIn if they are interested in discussing new ideas or bringing deception to their organization. Overall, this article provides a comprehensive overview of how to spoof user sessions using Windows' Remote Registry feature.

📓 Deceiving Bloodhound - Remote Registry Session Spoofing

👉🏽 Hello Everyone! Today we’re back with another blog post in the Deception in Depth series. Recently, I’ve found a new way to spoof user sessions using Windows’ Remote Registry feature. 👉🏽 Discusses new method of spoofing user sessions 👉🏽 Utilizes Windows' Remote Registry feature 👉🏽 Explains Session Enumeration via Win32 API calls 👉🏽 Demonstrates CreateProcessWithLogonW for artificial SMB session 👉🏽 Details how to load inactive NTUSER.DAT file into registry 👉🏽 Provides commands on starting Remote Registry service 👉🏽 Instructions on how to disable Firewall for Remote Registry 👉🏽 Introduces BloodHound for session data collection 👉🏽 Introduces Honey Sessions Python script for Domain Admin injection 👉🏽 Encourages reaching out to author for discussion on deception in organization.

🔗 source link: https://blog.spookysec.net//DnD-Deceiving-BH/

🔗 summarized content: https://hut.threathunterz.com/battlefield-intel/articles-and-reports/deceiving-bloodhound-remote-registry-session-spoofing

#UserSessionSpoofing #RemoteRegistry #SharpHound #BloodHound #HoneySessions