← Back to Explore
sigmamediumHunting
Enumeration for 3rd Party Creds From CLI
Detects processes that query known 3rd party registry keys that holds credentials via commandline
Detection Query
selection:
CommandLine|contains:
- \Software\Aerofox\Foxmail\V3.1
- \Software\Aerofox\FoxmailPreview
- \Software\DownloadManager\Passwords
- \Software\FTPWare\COREFTP\Sites
- \Software\IncrediMail\Identities
- \Software\Martin Prikryl\WinSCP 2\Sessions
- \Software\Mobatek\MobaXterm\
- \Software\OpenSSH\Agent\Keys
- \Software\OpenVPN-GUI\configs
- \Software\ORL\WinVNC3\Password
- \Software\Qualcomm\Eudora\CommandLine
- \Software\RealVNC\WinVNC4
- \Software\RimArts\B2\Settings
- \Software\SimonTatham\PuTTY\Sessions
- \Software\SimonTatham\PuTTY\SshHostKeys\
- \Software\Sota\FFFTP
- \Software\TightVNC\Server
- \Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin
filter_main_other_rule:
Image|endswith: reg.exe
CommandLine|contains:
- export
- save
condition: selection and not 1 of filter_main_*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-06-20
Data Sources
windowsProcess Creation Events
Platforms
windows
References
- https://isc.sans.edu/diary/More+Data+Exfiltration/25698
- https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt
- https://github.com/HyperSine/how-does-MobaXterm-encrypt-password
- https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry
Tags
attack.credential-accessattack.t1552.002
Raw Content
title: Enumeration for 3rd Party Creds From CLI
id: 87a476dc-0079-4583-a985-dee7a20a03de
related:
- id: e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1
type: derived
- id: cc1abf27-78a3-4ac5-a51c-f3070b1d8e40
type: similar
status: test
description: Detects processes that query known 3rd party registry keys that holds credentials via commandline
references:
- https://isc.sans.edu/diary/More+Data+Exfiltration/25698
- https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt
- https://github.com/HyperSine/how-does-MobaXterm-encrypt-password
- https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-20
modified: 2025-05-22
tags:
- attack.credential-access
- attack.t1552.002
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: # Add more paths as they are discovered
- '\Software\Aerofox\Foxmail\V3.1'
- '\Software\Aerofox\FoxmailPreview'
- '\Software\DownloadManager\Passwords'
- '\Software\FTPWare\COREFTP\Sites'
- '\Software\IncrediMail\Identities'
- '\Software\Martin Prikryl\WinSCP 2\Sessions'
- '\Software\Mobatek\MobaXterm\'
- '\Software\OpenSSH\Agent\Keys'
- '\Software\OpenVPN-GUI\configs'
- '\Software\ORL\WinVNC3\Password'
- '\Software\Qualcomm\Eudora\CommandLine'
- '\Software\RealVNC\WinVNC4'
- '\Software\RimArts\B2\Settings'
- '\Software\SimonTatham\PuTTY\Sessions'
- '\Software\SimonTatham\PuTTY\SshHostKeys\'
- '\Software\Sota\FFFTP'
- '\Software\TightVNC\Server'
- '\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin'
filter_main_other_rule: # matched by cc1abf27-78a3-4ac5-a51c-f3070b1d8e40
Image|endswith: 'reg.exe'
CommandLine|contains:
- 'export'
- 'save'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium