Registry Export of Third-Party Credentials

Rule Info

Name
Registry Export of Third-Party Credentials
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the use of reg.exe to export registry paths associated with third-party credentials. Credential stealers have been known to use this technique to extract sensitive information from the registry.
Reference
https://www.virustotal.com/gui/file/fdc86a5b3d7df37a72c3272836f743747c47bfbc538f05af9ecf78547fa2e789/behavior
Date
2025-05-22 00:00:00
Modified
None
Id
cc1abf27-78a3-4ac5-a51c-f3070b1d8e40
Tags
attack.credential-access attack.t1552.002
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=cc1abf27-78a3-4ac5-a51c-f3070b1d8e40

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5429 from @swachchhanda000 - Katz stealer malware
2025-05-26
585bd7d48
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022