Tuesday, 1 September 2020

Discovering Windows Registry Symbolic Links using Sysmon

When accessing the HKEY_CURRENT_USER or HKEY_CLASSES_ROOT registry hives from code, people usually are unaware that they are actually accessing a registry symbolic link. Each symbolic link has a source key and a target key. The source key of a symbolic link contains a single registry string value, which is the path of the target key in the symbolic link. Symbolic link source keys are created when a client creates a registry key with the registry option REG_OPTION_CREATE_LINK. 

After creating the symbolic link source key, a client MUST create a new value under the source key named "SymbolicLinkValue". The SymbolicLinkValue value contains the Object Name of the target of the symbolic link, which MUST NOT be NULL-terminated. The type of the value named SymbolicLinkValue MUST be REG_LINK.

example of how to create one using NtApiDotNet module:

we can see that indeed the Registry Symbolic Link Key "Test" was successfully created (although Windows Registry Editor can't open it and display this error code):

using following Sysmon Registry configuration we can also see the Symboliclink creation using EventID 12 and 13:

now let's write to the Test RegSymLink and see what happens:

Sysmon logs correctly changes that occurred to the registry symbolic link's target key (IFEO and not Test 😉 ):

Symbolic links are often abused as a medium in a class of privilege escalation vulnerabilities to redirect files, folders and also registry keys creation where a privileged process (e.g. Service or Scheduled Task running as NT AUTHORITY\System user and with no impersonation)   is controllable/hijack-able under certain conditions (vulnerability), and for Registry Symbolic Links CVE-2020-1377 is great example:

what's relevant for us here is that under certain conditions a normal user will fool a privileged thread to create a new key under Services Key (a.k.a prepare for new service creation), and to do so the standard user needs to create a registry symbolic link under HKLM (both Source and Target must be under same root for RegSymblink) and point it to the Services one (redirect), one of those writable keys under HKLM is HKLM\SOFTWARE\Microsoft\DRM: