T1552.002 REGISTRYPasswordDumping

T1552.002 - REGISTRY Password Dumping

DESCRIPTION

Detects scanning of registry hives for the value password. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services

Example:

reg query HKLM /f password /t REG_SZ /s\ reg query HKCU /f password /t REG_SZ /s

Related

Agent Tesla, TrickBot, APT32, others

Reference:

https://github.com/SigmaHQ/sigma/blob/cf29e28a54daa9d52f7d1a5996f023e2d08cde84/rules/windows/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml#L9

ATT&CK TACTICS

T1552.002 - Unsecured Credentials: Credentials in Registry

Data Source(s): Command, Windows Registry

SENTINEL RULE QUERY

let c1 = @'reg.*query\s.*password';
find where InitiatingProcessCommandLine matches regex c1 or ProcessCommandLine matches regex c1 or CommandLine matches regex c1 

Triage

1. Inspect if the activity is expected and performed by an admin or a service

VERSION

Version 1.0 (date: 10/07/2023)