Enumeration for 3rd Party Creds From CLI

 1title: Enumeration for 3rd Party Creds From CLI
 2id: 87a476dc-0079-4583-a985-dee7a20a03de
 3related:
 4    - id: e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1
 5      type: derived
 6    - id: cc1abf27-78a3-4ac5-a51c-f3070b1d8e40
 7      type: similar
 8status: test
 9description: Detects processes that query known 3rd party registry keys that holds credentials via commandline
10references:
11    - https://isc.sans.edu/diary/More+Data+Exfiltration/25698
12    - https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt
13    - https://github.com/HyperSine/how-does-MobaXterm-encrypt-password
14    - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry
15author: Nasreddine Bencherchali (Nextron Systems)
16date: 2022-06-20
17modified: 2025-05-22
18tags:
19    - attack.credential-access
20    - attack.t1552.002
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection:
26        CommandLine|contains: # Add more paths as they are discovered
27            - '\Software\Aerofox\Foxmail\V3.1'
28            - '\Software\Aerofox\FoxmailPreview'
29            - '\Software\DownloadManager\Passwords'
30            - '\Software\FTPWare\COREFTP\Sites'
31            - '\Software\IncrediMail\Identities'
32            - '\Software\Martin Prikryl\WinSCP 2\Sessions'
33            - '\Software\Mobatek\MobaXterm\'
34            - '\Software\OpenSSH\Agent\Keys'
35            - '\Software\OpenVPN-GUI\configs'
36            - '\Software\ORL\WinVNC3\Password'
37            - '\Software\Qualcomm\Eudora\CommandLine'
38            - '\Software\RealVNC\WinVNC4'
39            - '\Software\RimArts\B2\Settings'
40            - '\Software\SimonTatham\PuTTY\Sessions'
41            - '\Software\SimonTatham\PuTTY\SshHostKeys\'
42            - '\Software\Sota\FFFTP'
43            - '\Software\TightVNC\Server'
44            - '\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin'
45    filter_main_other_rule:  # matched by cc1abf27-78a3-4ac5-a51c-f3070b1d8e40
46        Image|endswith: 'reg.exe'
47        CommandLine|contains:
48            - 'export'
49            - 'save'
50    condition: selection and not 1 of filter_main_*
51falsepositives:
52    - Unknown
53level: medium

References

• More Data Exfiltration - SANS Internet Storm Center

  

  More Data Exfiltration, Author: Xavier Mertens

  
  Read More

• Radmin3-Password-Cracker/regkey.txt at acfc87393e4b7c06353973a14a6c7126a51f36ac · synacktiv/Radmin3-Password-Cracker

  

  Radmin Server 3 credentials dumper/cracker. Contribute to synacktiv/Radmin3-Password-Cracker development by creating an account on GitHub.

  
  Read More

• GitHub - HyperSine/how-does-MobaXterm-encrypt-password: This repo offers a tool to reveal password encrypted by MobaXterm.

  

  This repo offers a tool to reveal password encrypted by MobaXterm. - HyperSine/how-does-MobaXterm-encrypt-password

  
  Read More

• Page not found - HackTricks

  This URL is invalid, sorry. Please use the navigation bar or search to continue.

  
  Read More

Related rules

• Registry Export of Third-Party Credentials
• Enumeration for Credentials in Registry
• SAM Registry Hive Handle Request
• Suspicious File Access to Browser Credential Storage
• Crash Dump Created By Operating System