199. That's How Katz Stealer Extracts Authentication Material from Registry

Hello everyone!

Stealers. I'm sure, you see this threat every day! And it's EXTREMELY noisy as it extracts lots of sensitive data from a compromised system.

Let's look at another example of how adversaries leverage the following technique: Unsecured Credentials: Credentials in Registry (T1552.002).

So, we're going to look at Katz Stealer. Here's how it abuses reg.exe to extract authentication material for FFFTP and WinSCP:

cmd.exe /c reg export "HKCU\Software\Sota\FFFTP" "%LOCALAPPDATA%\FFFTP_registry.reg" /y

cmd.exe /c reg export "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions" "%LOCALAPPDATA%\WinSCP_registry.reg" /y

As always, we can transform it into a detection query:

event_type: "processcreatewin"

AND

proc_file_path: "reg.exe"

AND

cmdline: ("export" AND ("FFFTP" OR "WinSCP"))

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge