T1552.002 Credentials in Registry Mappings

Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.

Example commands to find Registry keys related to password information: (Citation: Pentestlab Stored Credentials)

  • Local Machine Hive: <code>reg query HKLM /f password /t REG_SZ /s</code>
  • Current User Hive: <code>reg query HKCU /f password /t REG_SZ /s</code>
View in MITRE ATT&CK®

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1552.002 Unsecured Credentials: Credentials in Registry
attribute.confidentiality.data_disclosure None related-to T1552.002 Unsecured Credentials: Credentials in Registry

AWS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
aws_secrets_manager AWS Secrets Manager technique_scores T1552.002 Credentials in Registry
Comments
This control may prevent harvesting of unsecured credentials by removing credentials and secrets from applications and configuration files and requiring authenticated API calls to retrieve those credentials and secrets. This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user.
References