Detection rules › Splunk
Credentials in Registry (Windows Event Log)
Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1552.002 Unsecured Credentials: Credentials in Registry |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| Security-Auditing | Event ID 4688 | A new process has been created. |
Rule body yaml
id: '6135.6624'
title: Credentials in Registry
description: 'Adversaries may search the Registry on compromised systems for insecurely
stored credentials. The Windows Registry stores configuration information that can
be used by the system or other programs. -- Threat Actor Association: Antlion, APT10/Cicada,
APT27/Emissary Panda, APT41, Flax Typhoon, Lancefly, Lazarus, Mustang Panda (aka.
Stately Taurus//Earth Preta/BRONZE PRESIDENT/TA416/RedDelta), Redfly, TA428, Tropic
Trooper, Volt Typhoon - Software Association: Akira, AZORLUT, Blackcat/ALPHV, CL-STA-0043,
DatopLoader, Diavol, Play, PYSA/Mespinoza, QAKBOT, Ransom Cartel, Rhysida, TorrentLocker,
Tricky Pyxie, Yanluowang -- Atomics T1003.002 Test #1 Atomics T1003.003 Test #2
Atomics T1003.004 Test #1'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4688) OR
"<EventID>4688<" OR Type=Process) (TERM(reg) AND TERM(query) AND ((TERM(HKLM) OR
TERM(HKCU)) AND TERM(password) AND TERM(REG_SZ)) OR TERM(Winlogon) OR TERM(SNMP)
OR TERM(Sessions) OR (TERM(WinVNC4) AND TERM(password))) OR (TERM(reg) AND TERM(save)
AND (TERM(system) OR TERM(SAM) OR TERM(security))) | table _time, host, user, process,
process_*, parent_*, signature_id | bin span=1s | stats values(*) as * by _time,
host '
techniques:
- credential-access:unsecured credentials:credentials in registry
technique_id:
- T1552.002
data_category:
- Windows event logs
- Process command-line parameters
references:
- https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf
- https://assets.sentinelone.com/labs/sentinel-one-valak-i
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4688) OR "<EventID>4688<" OR Type=Process) (TERM(reg) AND TERM(query) AND ((TERM(HKLM) OR TERM(HKCU)) AND TERM(password) AND TERM(REG_SZ)) OR TERM(Winlogon) OR TERM(SNMP) OR TERM(Sessions) OR (TERM(WinVNC4) AND TERM(password))) OR (TERM(reg) AND TERM(save) AND (TERM(system) OR TERM(SAM) OR TERM(security)))
Stage 2: table
| table _time, host, user, process, process_*, parent_*, signature_id
Stage 3: bucket
| bin span=1s
Stage 4: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>4688<" |
| 1 | TERM |
| 1 | reg |
| 1 | TERM |
| 1 | query |
| 1 | TERM |
| 1 | HKLM |
| 1 | TERM |
| 1 | HKCU |
| 1 | TERM |
| 1 | password |
| 1 | TERM |
| 1 | REG_SZ |
| 1 | TERM |
| 1 | Winlogon |
| 1 | TERM |
| 1 | SNMP |
| 1 | TERM |
| 1 | Sessions |
| 1 | TERM |
| 1 | WinVNC4 |
| 1 | TERM |
| 1 | password |
| 1 | TERM |
| 1 | reg |
| 1 | TERM |
| 1 | save |
| 1 | TERM |
| 1 | system |
| 1 | TERM |
| 1 | SAM |
| 1 | TERM |
| 1 | security |