Extract WinSCP obfuscated saved passwords from registry. Further information regarding deobfuscation can be found here: https://www.xmcyber.com/blog/extracting-encrypted-credentials-from-common-tools-2/
name: Windows.WinSCP.Passwords
author: "Yaron King - @Sam0rai"
description: |
Extract WinSCP obfuscated saved passwords from registry.
Further information regarding deobfuscation can be found here: https://www.xmcyber.com/blog/extracting-encrypted-credentials-from-common-tools-2/
type: CLIENT
precondition:
SELECT * FROM info() where OS = 'windows'
parameters:
- name: SearchRegistryGlob
default: HKEY_USERS\\S-1-5-21-*\\Software\\Martin Prikryl\\WinSCP 2\\Sessions\\*\\password
description: Use a glob to define the registry path to search for saved passwords.
sources:
- query: |
SELECT Data.value as ObfuscatedPassword, FullPath, ModTime
FROM glob(globs=SearchRegistryGlob, accessor='reg')