EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Registry Export of Third-Party Credentials

Detects the use of reg.exe to export registry paths associated with third-party credentials. Credential stealers have been known to use this technique to extract sensitive information from the registry.

MITRE ATT&CK

T1552.002
credential-access

Detection Query

selection_img:
  - Image|endswith: \reg.exe
  - OriginalFileName: reg.exe
selection_cli_save:
  CommandLine|contains:
    - save
    - export
selection_cli_path:
  CommandLine|contains:
    - \Software\Aerofox\Foxmail\V3.1
    - \Software\Aerofox\FoxmailPreview
    - \Software\DownloadManager\Passwords
    - \Software\FTPWare\COREFTP\Sites
    - \Software\IncrediMail\Identities
    - \Software\Martin Prikryl\WinSCP 2\Sessions
    - \Software\Mobatek\MobaXterm
    - \Software\OpenSSH\Agent\Keys
    - \Software\OpenVPN-GUI\configs
    - \Software\ORL\WinVNC3\Password
    - \Software\Qualcomm\Eudora\CommandLine
    - \Software\RealVNC\WinVNC4
    - \Software\RimArts\B2\Settings
    - \Software\SimonTatham\PuTTY\Sessions
    - \Software\SimonTatham\PuTTY\SshHostKeys
    - \Software\Sota\FFFTP
    - \Software\TightVNC\Server
    - \Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin
condition: all of selection_*

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Created

2025-05-22

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.credential-accessattack.t1552.002
Raw Content
title: Registry Export of Third-Party Credentials
id: cc1abf27-78a3-4ac5-a51c-f3070b1d8e40
related:
    - id: 87a476dc-0079-4583-a985-dee7a20a03de
      type: similar
status: experimental
description: |
    Detects the use of reg.exe to export registry paths associated with third-party credentials.
    Credential stealers have been known to use this technique to extract sensitive information from the registry.
references:
    - https://www.virustotal.com/gui/file/fdc86a5b3d7df37a72c3272836f743747c47bfbc538f05af9ecf78547fa2e789/behavior
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-22
tags:
    - attack.credential-access
    - attack.t1552.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_cli_save:
        CommandLine|contains:
            - 'save'
            - 'export'
    selection_cli_path:
        CommandLine|contains:
            - '\Software\Aerofox\Foxmail\V3.1'
            - '\Software\Aerofox\FoxmailPreview'
            - '\Software\DownloadManager\Passwords'
            - '\Software\FTPWare\COREFTP\Sites'
            - '\Software\IncrediMail\Identities'
            - '\Software\Martin Prikryl\WinSCP 2\Sessions'
            - '\Software\Mobatek\MobaXterm'
            - '\Software\OpenSSH\Agent\Keys'
            - '\Software\OpenVPN-GUI\configs'
            - '\Software\ORL\WinVNC3\Password'
            - '\Software\Qualcomm\Eudora\CommandLine'
            - '\Software\RealVNC\WinVNC4'
            - '\Software\RimArts\B2\Settings'
            - '\Software\SimonTatham\PuTTY\Sessions'
            - '\Software\SimonTatham\PuTTY\SshHostKeys'
            - '\Software\Sota\FFFTP'
            - '\Software\TightVNC\Server'
            - '\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high