Adversaries may search the Windows Registry on compromised systems for insecurely stored credentials for credential access. This can be accomplished using the query functionality of the reg.exe system utility, by looking for keys and values that contain strings such as “password”. In addition, adversaries may use toolkits such as PowerSploit in order to dump credentials from various applications such as IIS.Accordingly, this analytic looks for invocations of reg.exe in this capacity as well as that of several powersploit modules with similar functionality.

ATT&CK Detection

Technique Subtechnique(s) Tactic(s) Level of Coverage
Unsecured Credentials Credentials In Files, Credentials in Registry Credential Access Low

Data Model References

Object Action Field
process create command_line

Implementations

Pseudocode - reg.exe password search & powersploit modules (Pseudocode, CAR native)

This is a pseudocode representation of the below splunk search.

processes = search Process:Create
  cred_processes = filter processes where (
  command_line = "*reg* query HKLM /f password /t REG_SZ /s*" OR 
  command_line = "reg* query HKCU /f password /t REG_SZ /s" OR
  command_line = "*Get-UnattendedInstallFile*" OR
  command_line = "*Get-Webconfig*" OR 
  command_line = "*Get-ApplicationHost*" OR 
  command_line = "*Get-SiteListPassword*" OR 
  command_line = "*Get-CachedGPPPassword*" OR 
  command_line = "*Get-RegistryAutoLogon*")
output cred_processes

Splunk Search - reg.exe password search & powersploit modules (Splunk, Sysmon native)

This Splunk search looks for command lines of reg.exe used to search for passwords, as well as those of powersploit modules for the same purpose.

((index=__your_sysmon_index__ EventCode=1) OR (index=__your_win_syslog_index__ EventCode=4688)) (CommandLine="*reg* query HKLM /f password /t REG_SZ /s*" OR CommandLine="reg* query HKCU /f password /t REG_SZ /s" OR CommandLine="*Get-UnattendedInstallFile*" OR CommandLine="*Get-Webconfig*" OR CommandLine="*Get-ApplicationHost*" OR CommandLine="*Get-SiteListPassword*" OR CommandLine="*Get-CachedGPPPassword*" OR CommandLine="*Get-RegistryAutoLogon*")