Enumeration for Credentials in Registry
Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services
Sigma rule (View on GitHub)
1title: Enumeration for Credentials in Registry
2id: e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1
3status: test
4description: |
5 Adversaries may search the Registry on compromised systems for insecurely stored credentials.
6 The Windows Registry stores configuration information that can be used by the system or other programs.
7 Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.002/T1552.002.md
10author: frack113
11date: 2021-12-20
12modified: 2022-12-25
13tags:
14 - attack.credential-access
15 - attack.t1552.002
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 reg:
21 Image|endswith: '\reg.exe'
22 CommandLine|contains|all:
23 - ' query '
24 - '/t '
25 - 'REG_SZ'
26 - '/s'
27 hive:
28 - CommandLine|contains|all:
29 - '/f '
30 - 'HKLM'
31 - CommandLine|contains|all:
32 - '/f '
33 - 'HKCU'
34 - CommandLine|contains: 'HKCU\Software\SimonTatham\PuTTY\Sessions'
35 condition: reg and hive
36falsepositives:
37 - Unknown
38level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- SAM Registry Hive Handle Request
- ADCS Certificate Template Configuration Vulnerability
- ADCS Certificate Template Configuration Vulnerability with Risky EKU
- Access to Browser Login Data
- Account Lockout