Detecting Attempts to Steal Passwords from the Registry

David French
Oct 2, 2018 · 3 min read

Adversaries may query the Windows Registry looking for credentials and passwords that have been stored for use by other programs or services. Depending on the system configuration, domain cached credentials, local user credentials, and LSA secrets are cached in the Registry.

Credentials in Registry is MITRE ATT&CK Technique T1214.

Here are some steps to configure object access auditing in Windows to detect an attacker querying the Registry for passwords.

These auditing settings can be applied to endpoints across your environment via Group Policy but in this example, I will be applying the settings to a single client endpoint.

Configure Registry Auditing to Detect Access to Registry Hives/Keys

Under the Local Computer Policy settings (Group Policy if applying settings from a domain controller), turn on Audit object access for successful and failed access events.

In regedit.exe, apply the configuration below to monitor for successful and failed read attempts to the following root keys and subkeys:

Cached Domain Credentials

HKLM\Security — This key only
HKLM\Security\Cache — This key and subkeys
HKLM\System — This key only

LSA Secrets

HKLM\Security — This key only
HKLM\Security\Policy\Secrets — This key and subkeys
HKLM\System — This key only

Local password hashes

HKLM\Sam — This key only
HKLM\System — This key only

Detect Access Attempts to Registry Keys and Sub-Keys

You will see Event ID 4656 logged when password hashes are dumped from the registry using tools such as as Mimikatz, Pysecdump, or Metasploit.

mimikatz # lsadump::cache

Detect Use of reg.exe to Save Registry Hives

You will also see Event ID 4656 when reg.exe is used to save or query the HKLM\Security, System, or Sam registry hives.

reg.exe SAVE HKLM\sam sam_backup.hiv
reg.exe SAVE HKLM\security security_backup.hiv
reg.exe SAVE HKLM\system system_backup.hiv

Threat Punter

Threat Hunting | Threat Detection | Malware Analysis | Forensics

David French

Written by

Threat Hunting | Threat Detection | Malware Analysis | Forensics

Threat Punter

Threat Hunting | Threat Detection | Malware Analysis | Forensics

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade