Hello, We got alert from our Security team like below:
Credential Dumping activity is running on the BigFix root server and provided the details as below:
Command : REG QUERY “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BigFix\Enterprise Server\MFSConfig” /v RESTPassword
ImageC:\Windows\SysWOW64\reg.exe
|Parent Command|C:\Windows\system32\cmd.exe /s /c REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BigFix\Enterprise Server\MFSConfig /v RESTPassword ParentUser: NT AUTHORITY\SYSTEM
GrandParentBaseFileName: node.exe
when i check in BigFix console I am not able to find any actions and even in BigFix server I am not able to find anything in eventviewer.
any ideas why BigFix is doing credential dumping.
@JasonWalker
It is most likely related to the activity of Fixlet ID # 1294, however you should be able see the action if it has been configured.
If the action does not appear under actions, check the Server_audit log file for any action deletion activity.
However, this appears to be a typical process and is being marked as false positive.
MFS is the BigFix Server Plugin Service. It requires operator credentials to connect back to the BigFix Server using REST API.
I’m not sure what the node.exe is. You’d probably need to get the command-line arguments to see which node process it is. If it’s one of ours, it could possibly be WebUI or the Server Automation Service, but I don’t know why one of those node processes would be accessing the registry path directly (I’m not saying it’s wrong/unexpected, I’m just not familiar enough with that detail of it).
I wonder whether your alert is triggered just because the registry value name contains “Password” ?
node.exe process description says Node.js: Server-side JaveScript.
If you’re pulling it up in Task Manager you need to add options to show the command-line parameters. or at least right-click and enter Properties for the node.exe process, so we can see which node it is.
