Enumeration for Credentials in Registry
Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services
Sigma rule (View on GitHub)
1title: Enumeration for Credentials in Registry
2id: e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1
3status: test
4description: |
5 Adversaries may search the Registry on compromised systems for insecurely stored credentials.
6 The Windows Registry stores configuration information that can be used by the system or other programs.
7 Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.002/T1552.002.md
10author: frack113
11date: 2021-12-20
12modified: 2022-12-25
13tags:
14 - attack.credential-access
15 - attack.t1552.002
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 reg:
21 Image|endswith: '\reg.exe'
22 CommandLine|contains|all:
23 - ' query '
24 - '/t '
25 - 'REG_SZ'
26 - '/s'
27 hive:
28 - CommandLine|contains|all:
29 - '/f '
30 - 'HKLM'
31 - CommandLine|contains|all:
32 - '/f '
33 - 'HKCU'
34 - CommandLine|contains: 'HKCU\Software\SimonTatham\PuTTY\Sessions'
35 condition: reg and hive
36falsepositives:
37 - Unknown
38level: medium
References
Related rules
- Enumeration for 3rd Party Creds From CLI
- SAM Registry Hive Handle Request
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- ADCS Certificate Template Configuration Vulnerability