Detectionmediumtest

Enumeration for 3rd Party Creds From CLI

Detects processes that query known 3rd party registry keys that holds credentials via commandline

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Nasreddine Bencherchali (Nextron Systems)Created Mon Jun 20Updated Thu May 2287a476dc-0079-4583-a985-dee7a20a03dewindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        CommandLine|contains: # Add more paths as they are discovered
            - '\Software\Aerofox\Foxmail\V3.1'
            - '\Software\Aerofox\FoxmailPreview'
            - '\Software\DownloadManager\Passwords'
            - '\Software\FTPWare\COREFTP\Sites'
            - '\Software\IncrediMail\Identities'
            - '\Software\Martin Prikryl\WinSCP 2\Sessions'
            - '\Software\Mobatek\MobaXterm\'
            - '\Software\OpenSSH\Agent\Keys'
            - '\Software\OpenVPN-GUI\configs'
            - '\Software\ORL\WinVNC3\Password'
            - '\Software\Qualcomm\Eudora\CommandLine'
            - '\Software\RealVNC\WinVNC4'
            - '\Software\RimArts\B2\Settings'
            - '\Software\SimonTatham\PuTTY\Sessions'
            - '\Software\SimonTatham\PuTTY\SshHostKeys\'
            - '\Software\Sota\FFFTP'
            - '\Software\TightVNC\Server'
            - '\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin'
    filter_main_other_rule:  # matched by cc1abf27-78a3-4ac5-a51c-f3070b1d8e40
        Image|endswith: 'reg.exe'
        CommandLine|contains:
            - 'export'
            - 'save'
    condition: selection and not 1 of filter_main_*

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Sub-techniques

T1552.002 · Credentials in Registry

Related Rules

DerivedDetectionmedium

Enumeration for Credentials in Registry

Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services

This rule was derived from the related rule - both detect similar activity with different scope.

SimilarDetectionhigh

Registry Export of Third-Party Credentials

Detects the use of reg.exe to export registry paths associated with third-party credentials. Credential stealers have been known to use this technique to extract sensitive information from the registry.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

87a476dc-0079-4583-a985-dee7a20a03de

Status

test

Level

medium

Type

Detection

Created

Mon Jun 20

Modified

Thu May 22

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml

Raw Tags

attack.credential-accessattack.t1552.002

View on GitHub