Enumeration for 3rd Party Creds From CLI

 1title: Enumeration for 3rd Party Creds From CLI
 2id: 87a476dc-0079-4583-a985-dee7a20a03de
 3related:
 4    - id: e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1
 5      type: derived
 6status: test
 7description: Detects processes that query known 3rd party registry keys that holds credentials via commandline
 8references:
 9    - https://isc.sans.edu/diary/More+Data+Exfiltration/25698
10    - https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt
11    - https://github.com/HyperSine/how-does-MobaXterm-encrypt-password
12    - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2022-06-20
15tags:
16    - attack.credential-access
17    - attack.t1552.002
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        CommandLine|contains: # Add more paths as they are discovered
24            - '\Software\SimonTatham\PuTTY\Sessions'
25            - '\Software\\SimonTatham\PuTTY\SshHostKeys\'
26            - '\Software\Mobatek\MobaXterm\'
27            - '\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin'
28            - '\Software\Aerofox\FoxmailPreview'
29            - '\Software\Aerofox\Foxmail\V3.1'
30            - '\Software\IncrediMail\Identities'
31            - '\Software\Qualcomm\Eudora\CommandLine'
32            - '\Software\RimArts\B2\Settings'
33            - '\Software\OpenVPN-GUI\configs'
34            - '\Software\Martin Prikryl\WinSCP 2\Sessions'
35            - '\Software\FTPWare\COREFTP\Sites'
36            - '\Software\DownloadManager\Passwords'
37            - '\Software\OpenSSH\Agent\Keys'
38            - '\Software\TightVNC\Server'
39            - '\Software\ORL\WinVNC3\Password'
40            - '\Software\RealVNC\WinVNC4'
41    condition: selection
42falsepositives:
43    - Unknown
44level: medium

References

• More Data Exfiltration - SANS Internet Storm Center

  

  More Data Exfiltration, Author: Xavier Mertens

  
  Read More

• Radmin3-Password-Cracker/regkey.txt at acfc87393e4b7c06353973a14a6c7126a51f36ac · synacktiv/Radmin3-Password-Cracker

  

  Radmin Server 3 credentials dumper/cracker. Contribute to synacktiv/Radmin3-Password-Cracker development by creating an account on GitHub.

  
  Read More

• GitHub - HyperSine/how-does-MobaXterm-encrypt-password: This repo offers a tool to reveal password encrypted by MobaXterm.

  

  This repo offers a tool to reveal password encrypted by MobaXterm. - HyperSine/how-does-MobaXterm-encrypt-password

  
  Read More

• Windows Local Privilege Escalation | HackTricks

  

  Best tool to look for Windows local privilege escalation vectors: WinPEAS Initial Windows Theory Access Tokens If you don't know what are Windows Access Tokens, read the following page before conti...

  
  Read More

Related rules

• Enumeration for Credentials in Registry
• SAM Registry Hive Handle Request
• AADInternals PowerShell Cmdlets Execution - ProccessCreation
• AADInternals PowerShell Cmdlets Execution - PsScript
• ADCS Certificate Template Configuration Vulnerability