199. That's How Katz Stealer Extracts Authentication Material from Registry
Hello everyone!
Stealers. I'm sure, you see this threat every day! And it's EXTREMELY noisy as it extracts lots of sensitive data from a compromised system.
Let's look at another example of how adversaries leverage the following technique: Unsecured Credentials: Credentials in Registry (T1552.002).
So, we're going to look at Katz Stealer. Here's how it abuses reg.exe to extract authentication material for FFFTP and WinSCP:
cmd.exe /c reg export "HKCU\Software\Sota\FFFTP" "%LOCALAPPDATA%\FFFTP_registry.reg" /y
cmd.exe /c reg export "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions" "%LOCALAPPDATA%\WinSCP_registry.reg" /y
As always, we can transform it into a detection query:
event_type: "processcreatewin"
AND
proc_file_path: "reg.exe"
AND
cmdline: ("export" AND ("FFFTP" OR "WinSCP"))
See you tomorrow!
Comments
Post a Comment