Registry Export of Third-Party Credentials

calendar May 26, 2025 · attack.credential-access attack.t1552.002  ·
Share on: linkedin copy

Detects the use of reg.exe to export registry paths associated with third-party credentials. Credential stealers have been known to use this technique to extract sensitive information from the registry.

Sigma rule (View on GitHub)

 1title: Registry Export of Third-Party Credentials
 2id: cc1abf27-78a3-4ac5-a51c-f3070b1d8e40
 3related:
 4    - id: 87a476dc-0079-4583-a985-dee7a20a03de
 5      type: similar
 6status: experimental
 7description: |
 8    Detects the use of reg.exe to export registry paths associated with third-party credentials.
 9    Credential stealers have been known to use this technique to extract sensitive information from the registry.    
10references:
11    - https://www.virustotal.com/gui/file/fdc86a5b3d7df37a72c3272836f743747c47bfbc538f05af9ecf78547fa2e789/behavior
12author: Swachchhanda Shrawan Poudel (Nextron Systems)
13date: 2025-05-22
14tags:
15    - attack.credential-access
16    - attack.t1552.002
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_img:
22        - Image|endswith: '\reg.exe'
23        - OriginalFileName: 'reg.exe'
24    selection_cli_save:
25        CommandLine|contains:
26            - 'save'
27            - 'export'
28    selection_cli_path:
29        CommandLine|contains:
30            - '\Software\Aerofox\Foxmail\V3.1'
31            - '\Software\Aerofox\FoxmailPreview'
32            - '\Software\DownloadManager\Passwords'
33            - '\Software\FTPWare\COREFTP\Sites'
34            - '\Software\IncrediMail\Identities'
35            - '\Software\Martin Prikryl\WinSCP 2\Sessions'
36            - '\Software\Mobatek\MobaXterm'
37            - '\Software\OpenSSH\Agent\Keys'
38            - '\Software\OpenVPN-GUI\configs'
39            - '\Software\ORL\WinVNC3\Password'
40            - '\Software\Qualcomm\Eudora\CommandLine'
41            - '\Software\RealVNC\WinVNC4'
42            - '\Software\RimArts\B2\Settings'
43            - '\Software\SimonTatham\PuTTY\Sessions'
44            - '\Software\SimonTatham\PuTTY\SshHostKeys'
45            - '\Software\Sota\FFFTP'
46            - '\Software\TightVNC\Server'
47            - '\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin'
48    condition: all of selection_*
49falsepositives:
50    - Unknown
51level: high

References

Related rules

to-top