T1552.002: Credentials in Registry
| View on MITRE ATT&CK | T1552.002 |
|---|---|
| Tactic(s) | Credential Access |
| Associated CAPEC Patterns | Collect Data from Registries (CAPEC-647) |
Data from MITRE ATT&CK®:
Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Example commands to find Registry keys related to password information: (Citation: Pentestlab Stored Credentials)
- Local Machine Hive:
reg query HKLM /f password /t REG_SZ /s - Current User Hive:
reg query HKCU /f password /t REG_SZ /s
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
REDCURL - The pentest you didn't know about
This report by researchers at Group-IB outlines activity by a group they call RedCurl. The report identifies victimology and motivation (corporate ...
Mitigations for this technique
MITRE ATT&CK Mitigations
Privileged Account Management
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.Password Policies
Set and enforce secure password policies for accounts.Audit
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.How to detect this technique
MITRE ATT&CK Data Components
Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Windows Registry Key Access (Windows Registry)
Opening a Registry Key, typically to read the associated value (ex: Windows EID 4656)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Sigma Detections for this Technique
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.