Detecting Attempts to Steal Passwords from the Registry
Adversaries may query the Windows Registry looking for credentials and passwords that have been stored for use by other programs or services. Depending on the system configuration, domain cached credentials, local user credentials, and LSA secrets are cached in the Registry.
Credentials in Registry is MITRE ATT&CK Technique T1214.
Here are some steps to configure object access auditing in Windows to detect an attacker querying the Registry for passwords.
These auditing settings can be applied to endpoints across your environment via Group Policy but in this example, I will be applying the settings to a single client endpoint.
Note, if you decide to implement any of the monitoring and detection detailed in this post in a production environment, it’s likely that some tuning will be required to filter benign or expected behavior.
Configure Registry Auditing to Detect Access to Registry Hives/Keys
Under the Local Computer Policy settings (Group Policy if applying settings from a domain controller), turn on Audit object access for successful and failed access events.
In regedit.exe, apply the configuration below to monitor for successful and failed read attempts to the following root keys and subkeys:
Cached Domain CredentialsHKLM\Security — This key onlyHKLM\Security\Cache — This key and subkeysHKLM\System — This key only
LSA Secrets
HKLM\Security — This key onlyHKLM\Security\Policy\Secrets — This key and subkeysHKLM\System — This key only
Local password hashes
HKLM\Sam — This key onlyHKLM\System — This key only
Detect Access Attempts to Registry Keys and Sub-Keys
You will see Event ID 4656 logged when password hashes are dumped from the registry using tools such as as Mimikatz, Pysecdump, or Metasploit.
mimikatz # lsadump::cache
Detect Use of reg.exe to Save Registry Hives
You will also see Event ID 4656 when reg.exe is used to save or query the HKLM\Security, System, or Sam registry hives.
reg.exe SAVE HKLM\sam sam_backup.hiv
reg.exe SAVE HKLM\security security_backup.hiv
reg.exe SAVE HKLM\system system_backup.hiv
