Attempted Credential Dump From Registry Via Reg.exe

Description

This search looks for execution of reg.exe with parameters specifying an export of keys that contain hashed credentials that attackers may try to crack offline,

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Adversary Tactics

Alert Volume

Low

Journey

Stage 3

MITRE ATT&CK Tactics

Credential Access

MITRE ATT&CK Techniques

OS Credential Dumping

MITRE Threat Groups

APT28
APT32
APT39
Axiom
Frankenstein
Leviathan
Poseidon Group
Sowbug
Suckfly

Kill Chain Phases

Actions On Objectives

Data Sources

Endpoint Detection and Response

   Help

Attempted Credential Dump From Registry Via Reg.exe Help

This search looks for the process reg.exe with the "save" parameter, which specifies a binary export from the registry. In addition, it looks for the keys that contain the hashed credentials, which attackers may retrieve and use for brute-force attacks in order to harvest legitimate credentials.