Windows.MobaXterm.Passwords :: Velociraptor

Windows.MobaXterm.Passwords

Extract MobaXterm encrypted saved Master Passwords, Passwords and Credentials from registry. Further information regarding decryption can be found here: https://www.xmcyber.com/blog/extracting-encrypted-credentials-from-common-tools-2/


name: Windows.MobaXterm.Passwords
author: "Yaron King - @Sam0rai"
description: |
   Extract MobaXterm encrypted saved Master Passwords, Passwords and Credentials from registry.
   Further information regarding decryption can be found here: https://www.xmcyber.com/blog/extracting-encrypted-credentials-from-common-tools-2/

type: CLIENT

precondition:
  SELECT * FROM info() where OS = 'windows'

parameters:
  - name: SearchRegistryGlob
    default: HKEY_USERS\\S-1-5-21-*\\SOFTWARE\\Mobatek\MobaXterm\\{M,P,C}\\**
    description: Use a glob to define the registry path to search for saved (M)aster passwords, (P)asswords and (C)redentials.

sources:
  - query: |
        SELECT Data.value as EncryptedCreds, FullPath, ModTime
        FROM glob(globs=SearchRegistryGlob, accessor='reg')