title: Registry Export of Third-Party Credentials
id: cc1abf27-78a3-4ac5-a51c-f3070b1d8e40
related:
    - id: 87a476dc-0079-4583-a985-dee7a20a03de
      type: similar
status: experimental
description: |
    Detects the use of reg.exe to export registry paths associated with third-party credentials.
    Credential stealers have been known to use this technique to extract sensitive information from the registry.
references:
    - https://www.virustotal.com/gui/file/fdc86a5b3d7df37a72c3272836f743747c47bfbc538f05af9ecf78547fa2e789/behavior
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-22
tags:
    - attack.credential-access
    - attack.t1552.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_cli_save:
        CommandLine|contains:
            - 'save'
            - 'export'
    selection_cli_path:
        CommandLine|contains:
            - '\Software\Aerofox\Foxmail\V3.1'
            - '\Software\Aerofox\FoxmailPreview'
            - '\Software\DownloadManager\Passwords'
            - '\Software\FTPWare\COREFTP\Sites'
            - '\Software\IncrediMail\Identities'
            - '\Software\Martin Prikryl\WinSCP 2\Sessions'
            - '\Software\Mobatek\MobaXterm'
            - '\Software\OpenSSH\Agent\Keys'
            - '\Software\OpenVPN-GUI\configs'
            - '\Software\ORL\WinVNC3\Password'
            - '\Software\Qualcomm\Eudora\CommandLine'
            - '\Software\RealVNC\WinVNC4'
            - '\Software\RimArts\B2\Settings'
            - '\Software\SimonTatham\PuTTY\Sessions'
            - '\Software\SimonTatham\PuTTY\SshHostKeys'
            - '\Software\Sota\FFFTP'
            - '\Software\TightVNC\Server'
            - '\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: SAM Registry Hive Handle Request
id: f8748f2c-89dc-4d95-afb0-5a2dfdbad332
status: test
description: Detects handles requested to SAM registry hive
references:
    - https://threathunterplaybook.com/hunts/windows/190725-SAMRegistryHiveHandleRequest/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-12
modified: 2021-11-27
tags:
    - attack.discovery
    - attack.t1012
    - attack.credential-access
    - attack.t1552.002
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4656
        ObjectType: 'Key'
        ObjectName|endswith: '\SAM'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Enumeration for 3rd Party Creds From CLI
id: 87a476dc-0079-4583-a985-dee7a20a03de
related:
    - id: e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1
      type: derived
    - id: cc1abf27-78a3-4ac5-a51c-f3070b1d8e40
      type: similar
status: test
description: Detects processes that query known 3rd party registry keys that holds credentials via commandline
references:
    - https://isc.sans.edu/diary/More+Data+Exfiltration/25698
    - https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt
    - https://github.com/HyperSine/how-does-MobaXterm-encrypt-password
    - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-20
modified: 2025-05-22
tags:
    - attack.credential-access
    - attack.t1552.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: # Add more paths as they are discovered
            - '\Software\Aerofox\Foxmail\V3.1'
            - '\Software\Aerofox\FoxmailPreview'
            - '\Software\DownloadManager\Passwords'
            - '\Software\FTPWare\COREFTP\Sites'
            - '\Software\IncrediMail\Identities'
            - '\Software\Martin Prikryl\WinSCP 2\Sessions'
            - '\Software\Mobatek\MobaXterm\'
            - '\Software\OpenSSH\Agent\Keys'
            - '\Software\OpenVPN-GUI\configs'
            - '\Software\ORL\WinVNC3\Password'
            - '\Software\Qualcomm\Eudora\CommandLine'
            - '\Software\RealVNC\WinVNC4'
            - '\Software\RimArts\B2\Settings'
            - '\Software\SimonTatham\PuTTY\Sessions'
            - '\Software\SimonTatham\PuTTY\SshHostKeys\'
            - '\Software\Sota\FFFTP'
            - '\Software\TightVNC\Server'
            - '\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin'
    filter_main_other_rule:  # matched by cc1abf27-78a3-4ac5-a51c-f3070b1d8e40
        Image|endswith: 'reg.exe'
        CommandLine|contains:
            - 'export'
            - 'save'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Enumeration for Credentials in Registry
id: e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1
status: test
description: |
    Adversaries may search the Registry on compromised systems for insecurely stored credentials.
    The Windows Registry stores configuration information that can be used by the system or other programs.
    Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.002/T1552.002.md
author: frack113
date: 2021-12-20
modified: 2022-12-25
tags:
    - attack.credential-access
    - attack.t1552.002
logsource:
    category: process_creation
    product: windows
detection:
    reg:
        Image|endswith: '\reg.exe'
        CommandLine|contains|all:
            - ' query '
            - '/t '
            - 'REG_SZ'
            - '/s'
    hive:
        - CommandLine|contains|all:
              - '/f '
              - 'HKLM'
        - CommandLine|contains|all:
              - '/f '
              - 'HKCU'
        - CommandLine|contains: 'HKCU\Software\SimonTatham\PuTTY\Sessions'
    condition: reg and hive
falsepositives:
    - Unknown
level: medium