Enumeration for Credentials in Registry

Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services

Sigma rule (View on GitHub)

 1title: Enumeration for Credentials in Registry
 2id: e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1
 3status: test
 4description: |
 5    Adversaries may search the Registry on compromised systems for insecurely stored credentials.
 6    The Windows Registry stores configuration information that can be used by the system or other programs.
 7    Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services    
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.002/T1552.002.md
10author: frack113
11date: 2021/12/20
12modified: 2022/12/25
13tags:
14    - attack.credential_access
15    - attack.t1552.002
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    reg:
21        Image|endswith: '\reg.exe'
22        CommandLine|contains|all:
23            - ' query '
24            - '/t '
25            - 'REG_SZ'
26            - '/s'
27    hive:
28        - CommandLine|contains|all:
29              - '/f '
30              - 'HKLM'
31        - CommandLine|contains|all:
32              - '/f '
33              - 'HKCU'
34        - CommandLine|contains: 'HKCU\Software\SimonTatham\PuTTY\Sessions'
35    condition: reg and hive
36falsepositives:
37    - Unknown
38level: medium

References

Related rules

to-top