creddump is a python tool to extract credentials and secrets from Windows registry hives.

Hunt Hypothesis

The detection rule identifies potential credential extraction activity using a Python-based tool, which may indicate an adversary attempting to harvest credentials from Windows registry hives. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early signs of credential theft and potential lateral movement in their environment.

YARA Rule

rule hacktool_windows_moyix_creddump
{
    meta:
        description = "creddump is a python tool to extract credentials and secrets from Windows registry hives."
        reference = "https://github.com/moyix/creddump"
        author = "@mimeframe"
        id = "b3147c06-a1a5-53f2-b1f8-78d6474f9bbe"
    strings:
        $a1 = "!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%" wide ascii
        $a2 = "0123456789012345678901234567890123456789" wide ascii
        $a3 = "NTPASSWORD" wide ascii
        $a4 = "LMPASSWORD" wide ascii
        $a5 = "aad3b435b51404eeaad3b435b51404ee" wide ascii
        $a6 = "31d6cfe0d16ae931b73c59d7e0c089c0" wide ascii
    condition:
        all of ($a*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

References

• https://github.com/moyix/creddump
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using mimikatz to perform a legitimate credential harvesting task during a security audit.
  Filter/Exclusion: Check for the presence of mimikatz in the command line or process tree, or filter out processes initiated by a known admin account.

• Scenario: A scheduled job runs creddump.py as part of a routine security compliance check.
  Filter/Exclusion: Exclude processes initiated by a known compliance or security service account, or filter based on the presence of a specific job name or schedule.

• Scenario: A Windows backup tool like wbadmin or vssadmin is extracting registry hives as part of a backup operation.
  Filter/Exclusion: Filter out processes associated with backup services or check for the presence of backup-related command-line arguments.

• Scenario: A Windows system restore operation is extracting registry hives to restore system state.
  Filter/Exclusion: Exclude processes initiated by the System Restore service or check for the presence of restore-related command-line switches.

• Scenario: A security tool like Volatility or RegRipper is analyzing registry hives for forensic analysis.
  Filter/Exclusion: Filter out processes associated with forensic tools or check for the presence of known forensic analysis command-line arguments.