Team: Huntress EDR
Product: Manual Incident Remediation
Environment: Huntress EDR
Summary: Not all remediation steps can be performed automatically. Often times, registry keys are tied to a specific user and require the user be signed in to correct. Check back on failed assisted remediation for user registry keys that need to be manually actioned on.
Windows will not load a User hive unless that user is logged on, so sometimes it may be necessary to manually load the hive to remediate keys (assisted remediation will fail without access to a user hive). Rather than waiting for the user to log back in it is possible to manually load the hive and remediate the foothold yourself.
First look at the Incident Report to figure out which user hive must be loaded. In this example below the <username> will be testuser1
Now retrieve the registry either with GUI or PoSh
GUI - Open regedit.msc and browse to Computer\HKEY_USERS
PoSh - loads the remote registry into HKLM:\Temp\ on your machine, you must change $userProfilePath and $fullPathToRegValue values!
$userProfilePath = "c:\users\<username>"
$fullPathToRegValue = "\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"
reg load "HKLM\Temp" "$userProfilePath\ntuser.dat"
Remove-ItemProperty -Path "HKLM:\Temp\fullPathToRegValue" -Name “Registry Value” -Force
reg unload "HKLM\Temp"
Click on File, then click on Load Hive...
Browse to the user folder, usually c:\Users\<username> and double click on NTUSER.DAT
When prompted for Key Name type in the <username> from above (it can really be anything but naming it something obvious prevents mistakes)
A new entry should now appear, named whatever value you used for Key Name above. You can now browse to the malicious key from your Huntress Incident Report. In the first screenshot above this would be found in \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ once there delete the ImagingDevices value.
Once the malicious value has been removed, click on the Key Name again, then click File -> Unload Hive
Please sign in to leave a comment.