Ctrl+K

T1552.002 - Credentials in Registry

T1552.002 - Credentials in Registry#

Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.

Example commands to find Registry keys related to password information: (Citation: Pentestlab Stored Credentials)

  • Local Machine Hive: reg query HKLM /f password /t REG_SZ /s

  • Current User Hive: reg query HKCU /f password /t REG_SZ /s

Atomic Tests#

Atomic Test #1 - Enumeration for Credentials in RegistryQueries to enumerate for credentials in the Registry. Upon execution, any registry key containing the word “password” will be displayed.#

Supported Platforms: windows#### Attack Commands: Run with command_prompt

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Invoke-AtomicTest T1552.002 -TestNumbers 1

Atomic Test #2 - Enumeration for PuTTY Credentials in RegistryQueries to enumerate for PuTTY credentials in the Registry. PuTTY must be installed for this test to work. If any registry#

entries are found, they will be displayed. Supported Platforms: windows#### Attack Commands: Run with command_prompt

reg query HKCU\Software\SimonTatham\PuTTY\Sessions /t REG_SZ /s

Invoke-AtomicTest T1552.002 -TestNumbers 2

Detection#

Monitor processes for applications that can be used to query the Registry, such as Reg, and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives.

Contents