← Back to Explore
T1552.002
Credentials in Registry
Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons. Example commands to find Registry keys related to password information: (Citation: Pentestlab Stored Credent...
Windows
7
Detections
2
Sources
2
Threat Actors
BY SOURCE
4sigma3splunk_escu
PROCEDURES (4)
Credential3 detections
Auto-extracted: 3 detections for credential
Persist2 detections
Auto-extracted: 2 detections for persist
Ransomware1 detections
Auto-extracted: 1 detections for ransomware
Registry Monitoring1 detections
Auto-extracted: 1 detections for registry monitoring
DETECTIONS (7)
Add DefaultUser And Password In Registry
splunk_escu
Auto Admin Logon Registry Entry
splunk_escu
Enumeration for 3rd Party Creds From CLI
sigmamedium
Enumeration for Credentials in Registry
sigmamedium
Registry Export of Third-Party Credentials
sigmahigh
SAM Registry Hive Handle Request
sigmahigh
Windows Credentials in Registry Reg Query
splunk_escu