Enumeration for Credentials in Registry
Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services
Sigma rule (View on GitHub)
1title: Enumeration for Credentials in Registry
2id: e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1
3status: test
4description: |
5 Adversaries may search the Registry on compromised systems for insecurely stored credentials.
6 The Windows Registry stores configuration information that can be used by the system or other programs.
7 Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.002/T1552.002.md
10author: frack113
11date: 2021/12/20
12modified: 2022/12/25
13tags:
14 - attack.credential_access
15 - attack.t1552.002
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 reg:
21 Image|endswith: '\reg.exe'
22 CommandLine|contains|all:
23 - ' query '
24 - '/t '
25 - 'REG_SZ'
26 - '/s'
27 hive:
28 - CommandLine|contains|all:
29 - '/f '
30 - 'HKLM'
31 - CommandLine|contains|all:
32 - '/f '
33 - 'HKCU'
34 - CommandLine|contains: 'HKCU\Software\SimonTatham\PuTTY\Sessions'
35 condition: reg and hive
36falsepositives:
37 - Unknown
38level: medium
References
Related rules
- Enumeration for 3rd Party Creds From CLI
- SAM Registry Hive Handle Request
- Active Directory Replication from Non Machine Account
- Anonymous IP Address
- Antivirus Password Dumper Detection