T1552.002 Credentials in Registry Mappings

Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.

Example commands to find Registry keys related to password information: (Citation: Pentestlab Stored Credentials)

  • Local Machine Hive: <code>reg query HKLM /f password /t REG_SZ /s</code>
  • Current User Hive: <code>reg query HKCU /f password /t REG_SZ /s</code>
View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-17 Remote Access Protects T1552.002 Credentials in Registry
AC-2 Account Management Protects T1552.002 Credentials in Registry
AC-3 Access Enforcement Protects T1552.002 Credentials in Registry
AC-5 Separation of Duties Protects T1552.002 Credentials in Registry
AC-6 Least Privilege Protects T1552.002 Credentials in Registry
CA-7 Continuous Monitoring Protects T1552.002 Credentials in Registry
CA-8 Penetration Testing Protects T1552.002 Credentials in Registry
CM-5 Access Restrictions for Change Protects T1552.002 Credentials in Registry
CM-6 Configuration Settings Protects T1552.002 Credentials in Registry
IA-2 Identification and Authentication (organizational Users) Protects T1552.002 Credentials in Registry
IA-5 Authenticator Management Protects T1552.002 Credentials in Registry
RA-5 Vulnerability Monitoring and Scanning Protects T1552.002 Credentials in Registry
SA-11 Developer Testing and Evaluation Protects T1552.002 Credentials in Registry
SA-15 Development Process, Standards, and Tools Protects T1552.002 Credentials in Registry
SC-12 Cryptographic Key Establishment and Management Protects T1552.002 Credentials in Registry
SC-28 Protection of Information at Rest Protects T1552.002 Credentials in Registry
SC-4 Information in Shared System Resources Protects T1552.002 Credentials in Registry
SI-4 System Monitoring Protects T1552.002 Credentials in Registry
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1552.002 Unsecured Credentials: Credentials in Registry
attribute.confidentiality.data_disclosure related-to T1552.002 Unsecured Credentials: Credentials in Registry