Registry Export of Third-Party Credentials

Severity: high
Author: Swachchhanda Shrawan Poudel (Nextron Systems)
Source: upstream

Detects the use of reg.exe to export registry paths associated with third-party credentials. Credential stealers have been known to use this technique to extract sensitive information from the registry.

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1552.002` Unsecured Credentials: Credentials in Registry

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `all of selection_img`

or:
Image|endswith: '\reg.exe'
OriginalFileName: reg.exe

Stage 2: `all of selection_cli_save`

or:
CommandLine|contains: export
CommandLine|contains: save

Stage 3: `all of selection_cli_path`

or:
CommandLine|contains: '\Software\Aerofox\FoxmailPreview'
CommandLine|contains: '\Software\Aerofox\Foxmail\V3.1'
CommandLine|contains: '\Software\DownloadManager\Passwords'
CommandLine|contains: '\Software\FTPWare\COREFTP\Sites'
CommandLine|contains: '\Software\IncrediMail\Identities'
CommandLine|contains: '\Software\Martin Prikryl\WinSCP 2\Sessions'
CommandLine|contains: '\Software\Mobatek\MobaXterm'
CommandLine|contains: '\Software\ORL\WinVNC3\Password'
CommandLine|contains: '\Software\OpenSSH\Agent\Keys'
CommandLine|contains: '\Software\OpenVPN-GUI\configs'
CommandLine|contains: '\Software\Qualcomm\Eudora\CommandLine'
CommandLine|contains: '\Software\RealVNC\WinVNC4'
CommandLine|contains: '\Software\RimArts\B2\Settings'
CommandLine|contains: '\Software\SimonTatham\PuTTY\Sessions'
CommandLine|contains: '\Software\SimonTatham\PuTTY\SshHostKeys'
CommandLine|contains: '\Software\Sota\FFFTP'
CommandLine|contains: '\Software\TightVNC\Server'
CommandLine|contains: '\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`\Software\Aerofox\FoxmailPreview` corpus 2 (sigma 2) `\Software\Aerofox\Foxmail\V3.1` corpus 2 (sigma 2) `\Software\DownloadManager\Passwords` corpus 2 (sigma 2) `\Software\FTPWare\COREFTP\Sites` corpus 2 (sigma 2) `\Software\IncrediMail\Identities` corpus 2 (sigma 2) `\Software\Martin Prikryl\WinSCP 2\Sessions` corpus 2 (sigma 2) `\Software\Mobatek\MobaXterm` `\Software\ORL\WinVNC3\Password` corpus 2 (sigma 2) `\Software\OpenSSH\Agent\Keys` corpus 2 (sigma 2) `\Software\OpenVPN-GUI\configs` corpus 2 (sigma 2) `\Software\Qualcomm\Eudora\CommandLine` corpus 2 (sigma 2) `\Software\RealVNC\WinVNC4` corpus 2 (sigma 2) `\Software\RimArts\B2\Settings` corpus 2 (sigma 2) `\Software\SimonTatham\PuTTY\Sessions` corpus 2 (sigma 2) `\Software\SimonTatham\PuTTY\SshHostKeys` `\Software\Sota\FFFTP` corpus 2 (sigma 2) `\Software\TightVNC\Server` corpus 2 (sigma 2) `\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin` corpus 2 (sigma 2) `export` corpus 2 (sigma 2) `save` corpus 2 (sigma 2)
`Image`	ends_with	`\reg.exe` corpus 46 (sigma 46)
`OriginalFileName`	eq	`reg.exe` corpus 29 (sigma 29)