mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-28 15:58:24 +01:00
4f83231697
* Update SigmaHQ ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHQ ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHq ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHq ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> --------- Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
39 lines
2.2 KiB
YAML
39 lines
2.2 KiB
YAML
---
|
|
Name: Reg.exe
|
|
Description: Used to manipulate the registry
|
|
Author: 'Oddvar Moe'
|
|
Created: 2018-05-25
|
|
Commands:
|
|
- Command: reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
|
|
Description: Export the target Registry key and save it to the specified .REG file within an Alternate data stream.
|
|
Usecase: Hide/plant registry information in Alternate data stream for later use
|
|
Category: ADS
|
|
Privileges: User
|
|
MitreID: T1564.004
|
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
|
- Command: reg save HKLM\SECURITY c:\test\security.bak && reg save HKLM\SYSTEM c:\test\system.bak && reg save HKLM\SAM c:\test\sam.bak
|
|
Description: Dump registry hives (SAM, SYSTEM, SECURITY) to retrieve password hashes and key material
|
|
Usecase: Dump credentials from the Security Account Manager (SAM)
|
|
Category: Credentials
|
|
Privileges: Administrator
|
|
MitreID: T1003.002
|
|
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
|
Full_Path:
|
|
- Path: C:\Windows\System32\reg.exe
|
|
- Path: C:\Windows\SysWOW64\reg.exe
|
|
Code_Sample:
|
|
- Code:
|
|
Detection:
|
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml
|
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml
|
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml
|
|
- Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml
|
|
- Elastic: https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_dump_registry_hives.toml
|
|
- IOC: reg.exe writing to an ADS
|
|
Resources:
|
|
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
|
- Link: https://pure.security/dumping-windows-credentials/
|
|
Acknowledgement:
|
|
- Person: Oddvar Moe
|
|
Handle: '@oddvarmoe'
|