Registry Export of Third-Party Credentials

Date: 05/27/2025

Severity: Medium

Summary

Detects the use of reg.exe to export registry paths linked to third-party credentials.
This technique is commonly used by credential stealers to extract sensitive data stored in the Windows registry.

Indicators of Compromise (IOC) List

Image :

'\reg.exe'

OriginalFileName :

'reg.exe'

CommandLine :

'save'

'export'

'\Software\Aerofox\Foxmail\V3.1'

'\Software\Aerofox\FoxmailPreview'

'\Software\DownloadManager\Passwords'

'\Software\FTPWare\COREFTP\Sites'

'\Software\IncrediMail\Identities'

'\Software\Martin Prikryl\WinSCP 2\Sessions'

'\Software\Mobatek\MobaXterm'

'\Software\OpenSSH\Agent\Keys'

'\Software\OpenVPN-GUI\configs'

'\Software\ORL\WinVNC3\Password'

'\Software\Qualcomm\Eudora\CommandLine'

'\Software\RealVNC\WinVNC4'

'\Software\RimArts\B2\Settings'

'\Software\SimonTatham\PuTTY\Sessions'

'\Software\SimonTatham\PuTTY\SshHostKeys'

'\Software\Sota\FFFTP'

'\Software\TightVNC\Server'

'\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin'

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Detection Query :

(resourcename = "Windows Security" AND eventtype = "4688") AND processname like "reg.exe" AND (commandline like "save" or commandline like "export") AND (commandline like "\Software\Aerofox\Foxmail\V3.1" or commandline like "\Software\Aerofox\FoxmailPreview" or commandline like "\Software\DownloadManager\Passwords" or commandline like "\Software\FTPWare\COREFTP\Sites" or commandline like "\Software\IncrediMail\Identities" or commandline like "\Software\Martin Prikryl\WinSCP 2\Sessions" or commandline like "\Software\Mobatek\MobaXterm" or commandline like "\Software\OpenSSH\Agent\Keys" or commandline like "\Software\OpenVPN-GUI\configs" or commandline like "\Software\ORL\WinVNC3\Password" or commandline like "\Software\Qualcomm\Eudora\CommandLine" or commandline like "\Software\RealVNC\WinVNC4" or commandline like "\Software\RimArts\B2\Settings" or commandline like "\Software\SimonTatham\PuTTY\Sessions" or commandline like "\Software\SimonTatham\PuTTY\SshHostKeys" or commandline like "\Software\Sota\FFFTP" or commandline like "\Software\TightVNC\Server" or commandline like "\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin")

Detection Query :

technologygroup = "EDR" AND processname like "reg.exe" AND (commandline like "save" or commandline like "export") AND (commandline like "\Software\Aerofox\Foxmail\V3.1" or commandline like "\Software\Aerofox\FoxmailPreview" or commandline like "\Software\DownloadManager\Passwords" or commandline like "\Software\FTPWare\COREFTP\Sites" or commandline like "\Software\IncrediMail\Identities" or commandline like "\Software\Martin Prikryl\WinSCP 2\Sessions" or commandline like "\Software\Mobatek\MobaXterm" or commandline like "\Software\OpenSSH\Agent\Keys" or commandline like "\Software\OpenVPN-GUI\configs" or commandline like "\Software\ORL\WinVNC3\Password" or commandline like "\Software\Qualcomm\Eudora\CommandLine" or commandline like "\Software\RealVNC\WinVNC4" or commandline like "\Software\RimArts\B2\Settings" or commandline like "\Software\SimonTatham\PuTTY\Sessions" or commandline like "\Software\SimonTatham\PuTTY\SshHostKeys" or commandline like "\Software\Sota\FFFTP" or commandline like "\Software\TightVNC\Server" or commandline like "\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin")

Reference:

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_registry_export_of_thirdparty_creds.yml

Registry Export of Third-Party Credentials

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

Registry Export of Third-Party Credentials

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments