Description
Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Example commands to find Registry keys related to password information: (Citation: Pentestlab Stored Credentials)
Local Machine Hive: reg query HKLM /f password /t REG_SZ /s
Current User Hive: reg query HKCU /f password /t REG_SZ /s
Platforms
Mitigations (3)
Password PoliciesM1027
Do not store credentials within the Registry.
Privileged Account ManagementM1026
If it is necessary that software must store credentials in the Registry, then ensure the associated accounts have limited permissions so they cannot be abused if obtained by an adversary.
AuditM1047
Proactively search for credentials within the Registry and attempt to remediate the risk.
Threat Groups (3)
| ID | Group | Context |
|---|---|---|
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) used Outlook Credential Dumper to harvest credentials stored in Windows registry.(Citation: Cybereason ... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) had exported credentials from registry hives to include those stored in HKLM.(Citation: Check ... |
| G1039 | RedCurl | [RedCurl](https://attack.mitre.org/groups/G1039) used [LaZagne](https://attack.mitre.org/software/S0349) to obtain passwords in the Registry.(Citation... |
Associated Software (7)
| ID | Name | Type | Context |
|---|---|---|---|
| S0075 | Reg | Tool | [Reg](https://attack.mitre.org/software/S0075) may be used to find credentials in the Windows Registry.(Citation: Pentestlab Stored Credentials) |
| S0194 | PowerSploit | Tool | [PowerSploit](https://attack.mitre.org/software/S0194) has several modules that search the Windows Registry for stored credentials: <code>Get-Unattend... |
| S1022 | IceApple | Malware | [IceApple](https://attack.mitre.org/software/S1022) can harvest credentials from local and remote host registries.(Citation: CrowdStrike IceApple May ... |
| S1183 | StrelaStealer | Malware | [StrelaStealer](https://attack.mitre.org/software/S1183) enumerates the registry key `HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\937... |
| S0266 | TrickBot | Malware | [TrickBot](https://attack.mitre.org/software/S0266) has retrieved PuTTY credentials by querying the <code>Software\SimonTatham\Putty\Sessions</code> r... |
| S0476 | Valak | Malware | [Valak](https://attack.mitre.org/software/S0476) can use the clientgrabber module to steal e-mail credentials from the Registry.(Citation: SentinelOne... |
| S0331 | Agent Tesla | Malware | [Agent Tesla](https://attack.mitre.org/software/S0331) has the ability to extract credentials from the Registry.(Citation: SentinelLabs Agent Tesla Au... |
References
Frequently Asked Questions
What is T1552.002 (Credentials in Registry)?
T1552.002 is a MITRE ATT&CK technique named 'Credentials in Registry'. It belongs to the Credential Access tactic(s). Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Ad...
How can T1552.002 be detected?
Detection of T1552.002 (Credentials in Registry) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1552.002?
There are 3 documented mitigations for T1552.002. Key mitigations include: Password Policies, Privileged Account Management, Audit.
Which threat groups use T1552.002?
Known threat groups using T1552.002 include: APT32, VOID MANTICORE, RedCurl.