Extract MobaXterm encrypted saved Master Passwords, Passwords and Credentials from registry. Further information regarding decryption can be found here: https://www.xmcyber.com/blog/extracting-encrypted-credentials-from-common-tools-2/
name: Windows.MobaXterm.Passwords
author: "Yaron King - @Sam0rai"
description: |
Extract MobaXterm encrypted saved Master Passwords, Passwords and Credentials from registry.
Further information regarding decryption can be found here: https://www.xmcyber.com/blog/extracting-encrypted-credentials-from-common-tools-2/
type: CLIENT
precondition:
SELECT * FROM info() where OS = 'windows'
parameters:
- name: SearchRegistryGlob
default: HKEY_USERS\\S-1-5-21-*\\SOFTWARE\\Mobatek\MobaXterm\\{M,P,C}\\**
description: Use a glob to define the registry path to search for saved (M)aster passwords, (P)asswords and (C)redentials.
sources:
- query: |
SELECT Data.value as EncryptedCreds, FullPath, ModTime
FROM glob(globs=SearchRegistryGlob, accessor='reg')