Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-08 17:17:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

T1552.002 Credentials in Registry

Browse Source
This commit is contained in:
@
2020-10-23 15:13:38 -05:00
parent 619c7d57fc
commit 1ee7efa88a
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Tactics/CredentialAccess.md
+5
View File
@@ -34,6 +34,11 @@ TgtProcName = "accesschk.exe" AND TgtProcDisplayName != "Reports effective permi
### T1552.002 Credentials in Registry
Atomics: [T1552.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md)
This query detects enumeration and discovery of credentials within the Registry, including Putty sessions.
`
TgtProcCmdline ContainsCIS "query HKLM /f password /t REG_SZ /s" OR TgtProcCmdline ContainsCIS "query HKCU /f password /t REG_SZ /s" OR TgtProcCmdline ContainsCIS "query HKCU\Software\SimonTatham\PuTTY\Sessions /t REG_SZ /s"
`
### T1056.002 GUI Input Capture
Atomics: [T1056.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md)