T1552.002 Credentials in Registry Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detect registry credential access and search
let CredentialRegistryKeys = dynamic([
  "Winlogon", "DefaultPassword", "AutoAdminLogon",
  "SimonTatham", "Putty", "PuTTY",
  "Outlook\\Profiles", "IMAP Password", "POP3 Password",
  "VNC", "RealVNC", "TightVNC", "UltraVNC",
  "WinVNC", "password", "Password"
]);
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in ("RegistryKeyQueried", "RegistryValueQueried")
| where RegistryKey has_any (CredentialRegistryKeys)
| extend IsAutoLogon = RegistryKey has "Winlogon" and (RegistryValueName has "Password" or RegistryValueName has "AutoAdminLogon")
| extend IsPutty = RegistryKey has_any ("SimonTatham", "PuTTY", "Putty")
| extend IsOutlook = RegistryKey has "Outlook" and RegistryKey has "Profiles"
| extend IsVNC = RegistryKey has_any ("VNC", "RealVNC", "TightVNC", "UltraVNC")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RegistryKey, RegistryValueName,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         IsAutoLogon, IsPutty, IsOutlook, IsVNC
| union (
    // Detect reg.exe bulk registry search for passwords
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName in~ ("reg.exe", "powershell.exe", "pwsh.exe")
    | where ProcessCommandLine has_any (
        "query HKLM /f password", "query HKCU /f password",
        "query HKLM /f passwd", "query HKCU /f passwd",
        "Get-ItemProperty", "Get-RegistryAutoLogon", "Find-GPOPassword"
      )
    | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
)
| sort by Timestamp desc

high severity high confidence

Data Sources

Windows Registry: Windows Registry Key Access Process: Process Creation Command: Command Execution

Required Tables

DeviceRegistryEvents DeviceProcessEvents

False Positives

AutoLogon configuration tools legitimately reading/writing DefaultPassword for kiosk or service account auto-logon setup
PuTTY and SSH client applications accessing their own saved session credentials for connection
Microsoft Outlook and email clients accessing their own profile credential storage
IT inventory and compliance tools that audit registry settings including credential storage configuration
Security assessment tools explicitly authorized to check for insecure credential storage in the registry

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
(
  (EventCode=13
   (TargetObject="*\\Winlogon\\DefaultPassword*" OR TargetObject="*\\Winlogon\\AutoAdminLogon*")
  | eval AlertType="AutoLogon_Credential"
  | table _time, host, User, Image, TargetObject, Details, AlertType)
OR
  (EventCode=1
   (Image="*\\reg.exe")
   (CommandLine="*query*" AND (CommandLine="*/f password*" OR CommandLine="*/f passwd*" OR CommandLine="*/f pwd*"))
  | eval AlertType="RegQuery_PasswordSearch"
  | table _time, host, User, Image, CommandLine, AlertType)
OR
  (EventCode=1
   (Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
   (CommandLine="*Get-RegistryAutoLogon*" OR CommandLine="*Find-GPOPassword*" OR CommandLine="*Get-SiteListPassword*" OR
    CommandLine="*Get-CachedGPPPassword*" OR (CommandLine="*Get-ItemProperty*" AND CommandLine="*password*"))
  | eval AlertType="PowerSploit_CredRegistry"
  | table _time, host, User, Image, CommandLine, AlertType)
OR
  (EventCode=12 OR EventCode=13)
  (TargetObject="*SimonTatham*" OR TargetObject="*PuTTY*" OR TargetObject="*Outlook*Profiles*" OR TargetObject="*VNC*Password*")
  NOT (Image IN ("*\\putty.exe", "*\\OUTLOOK.EXE", "*\\tvnserver.exe"))
| eval AlertType="ThirdPartyCredRead"
| table _time, host, User, Image, TargetObject, AlertType
)
| sort - _time

high severity high confidence

Data Sources

Windows Registry: Windows Registry Key Access Process: Process Creation Sysmon Event ID 1, 12, 13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

AutoLogon configuration tools reading/writing DefaultPassword for kiosk setup
PuTTY accessing its own saved session credentials
Microsoft Outlook accessing its own profile credential storage
IT inventory tools auditing registry credential storage
Authorized security assessment tools checking for insecure credential storage

Elastic Security (EQL)

eql

any where (
  (
    event.category == "registry" and
    event.type in ("access", "query") and
    registry.path : (
      "*\\Winlogon\\DefaultPassword*",
      "*\\Winlogon\\AutoAdminLogon*",
      "*\\SimonTatham\\*",
      "*\\PuTTY\\Sessions*",
      "*\\Putty\\Sessions*",
      "*\\Outlook\\Profiles*",
      "*VNC*Password*",
      "*RealVNC*",
      "*TightVNC*",
      "*UltraVNC*"
    )
    and not process.name : ("putty.exe", "OUTLOOK.EXE", "tvnserver.exe", "vncviewer.exe")
  )
  or
  (
    event.category == "process" and
    event.type == "start" and
    process.name : ("reg.exe", "powershell.exe", "pwsh.exe") and
    (
      process.args : ("*query*") and process.args : ("*/f*") and process.args : ("*password*", "*passwd*", "*pwd*")
      or
      process.command_line : (
        "*Get-RegistryAutoLogon*",
        "*Find-GPOPassword*",
        "*Get-SiteListPassword*",
        "*Get-CachedGPPPassword*"
      )
      or
      (process.command_line : "*Get-ItemProperty*" and process.command_line : "*password*")
    )
  )
)

high severity high confidence

Data Sources

Windows Sysmon (Event IDs 1, 12, 13) Windows Security Event Log (Event ID 4688) Elastic Endpoint Security agent

Required Tables

logs-endpoint.events.registry-* logs-endpoint.events.process-* logs-windows.sysmon_operational-*

False Positives

IT administrators running CyberArk, BeyondTrust, or Tenable credential discovery scans that legitimately enumerate registry credential stores as part of authorized PAM audits
PuTTY, Outlook, or VNC applications accessing their own configuration registry keys during normal startup and session management
PowerShell-based IT automation scripts using Get-ItemProperty to audit AutoLogon settings on domain-joined workstations during compliance checks

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  sourceip AS host_ip,
  username,
  "EventID" AS event_id,
  COALESCE("TargetObject", '') AS registry_target,
  COALESCE("Image", '') AS process_image,
  COALESCE("CommandLine", '') AS command_line,
  CASE
    WHEN "TargetObject" ILIKE '%Winlogon%DefaultPassword%' OR "TargetObject" ILIKE '%Winlogon%AutoAdminLogon%' THEN 'AutoLogon_Credential'
    WHEN "TargetObject" ILIKE '%SimonTatham%' OR "TargetObject" ILIKE '%PuTTY%' THEN 'PuTTY_Credential'
    WHEN "TargetObject" ILIKE '%Outlook%Profiles%' THEN 'Outlook_Credential'
    WHEN "TargetObject" ILIKE '%VNC%' THEN 'VNC_Credential'
    WHEN "CommandLine" ILIKE '%query%/f password%' OR "CommandLine" ILIKE '%query%/f passwd%' THEN 'RegQuery_PasswordSearch'
    WHEN "CommandLine" ILIKE '%Get-RegistryAutoLogon%' OR "CommandLine" ILIKE '%Find-GPOPassword%' THEN 'PowerSploit_CredRegistry'
    ELSE 'Registry_CredentialAccess'
  END AS alert_type
FROM events
WHERE
  LOGSOURCETYPEID = 432
  AND starttime > DATEADD('hour', -24, NOW())
  AND (
    (
      "EventID" IN (12, 13)
      AND (
        "TargetObject" ILIKE '%\Winlogon\DefaultPassword%'
        OR "TargetObject" ILIKE '%\Winlogon\AutoAdminLogon%'
        OR "TargetObject" ILIKE '%SimonTatham%'
        OR "TargetObject" ILIKE '%PuTTY%'
        OR "TargetObject" ILIKE '%Putty%'
        OR "TargetObject" ILIKE '%Outlook%Profiles%'
        OR "TargetObject" ILIKE '%VNC%Password%'
        OR "TargetObject" ILIKE '%RealVNC%'
        OR "TargetObject" ILIKE '%TightVNC%'
        OR "TargetObject" ILIKE '%UltraVNC%'
      )
      AND NOT "Image" ILIKE '%\putty.exe'
      AND NOT "Image" ILIKE '%\OUTLOOK.EXE'
      AND NOT "Image" ILIKE '%\tvnserver.exe'
    )
    OR
    (
      "EventID" = 1
      AND "Image" ILIKE '%\reg.exe'
      AND "CommandLine" ILIKE '%query%'
      AND (
        "CommandLine" ILIKE '%/f password%'
        OR "CommandLine" ILIKE '%/f passwd%'
        OR "CommandLine" ILIKE '%/f pwd%'
      )
    )
    OR
    (
      "EventID" = 1
      AND (
        "Image" ILIKE '%\powershell.exe'
        OR "Image" ILIKE '%\pwsh.exe'
      )
      AND (
        "CommandLine" ILIKE '%Get-RegistryAutoLogon%'
        OR "CommandLine" ILIKE '%Find-GPOPassword%'
        OR "CommandLine" ILIKE '%Get-SiteListPassword%'
        OR "CommandLine" ILIKE '%Get-CachedGPPPassword%'
        OR ("CommandLine" ILIKE '%Get-ItemProperty%' AND "CommandLine" ILIKE '%password%')
      )
    )
  )
ORDER BY starttime DESC

high severity high confidence

Data Sources

Microsoft Windows Sysmon (LOGSOURCETYPEID 432) Windows Security Event Log via WinCollect or Universal DSM

Required Tables

events

False Positives

Authorized IT asset management or PAM solutions (CyberArk, Delinea) performing scheduled registry credential discovery across the fleet as part of privileged access governance
PuTTY, TightVNC, or Outlook processes querying their own registry keys at launch — exclude by filtering Image path against the known application binary
Internal PowerShell-based compliance scripts that use Get-ItemProperty to verify Windows AutoLogon is disabled or report on its current state

Sumo Logic CSE

sql

(_sourceCategory="*/windows/sysmon" OR _sourceCategory="*/sysmon/operational")
| json auto
| where EventCode in ("1", "12", "13")
| where (
    (EventCode in ("12", "13") and (
      TargetObject matches "*\\Winlogon\\DefaultPassword*" OR
      TargetObject matches "*\\Winlogon\\AutoAdminLogon*" OR
      TargetObject matches "*SimonTatham*" OR
      TargetObject matches "*PuTTY*" OR
      TargetObject matches "*Putty*" OR
      TargetObject matches "*Outlook*Profiles*" OR
      TargetObject matches "*VNC*Password*" OR
      TargetObject matches "*RealVNC*" OR
      TargetObject matches "*TightVNC*" OR
      TargetObject matches "*UltraVNC*"
    ) and not (
      Image matches "*\\putty.exe" OR
      Image matches "*\\OUTLOOK.EXE" OR
      Image matches "*\\tvnserver.exe"
    ))
    OR
    (EventCode = "1" and (
      (Image matches "*\\reg.exe" and CommandLine matches "*query*" and (
        CommandLine matches "*/f password*" OR
        CommandLine matches "*/f passwd*" OR
        CommandLine matches "*/f pwd*"
      )) OR
      ((Image matches "*\\powershell.exe" OR Image matches "*\\pwsh.exe") and (
        CommandLine matches "*Get-RegistryAutoLogon*" OR
        CommandLine matches "*Find-GPOPassword*" OR
        CommandLine matches "*Get-SiteListPassword*" OR
        CommandLine matches "*Get-CachedGPPPassword*" OR
        (CommandLine matches "*Get-ItemProperty*" and CommandLine matches "*password*")
      ))
    ))
  )
| if (EventCode in ("12","13") and TargetObject matches "*Winlogon*", "AutoLogon_Credential",
    if (EventCode in ("12","13") and (TargetObject matches "*SimonTatham*" or TargetObject matches "*PuTTY*"), "PuTTY_Credential",
    if (EventCode in ("12","13") and TargetObject matches "*Outlook*Profiles*", "Outlook_Credential",
    if (EventCode in ("12","13") and TargetObject matches "*VNC*", "VNC_Credential",
    if (EventCode = "1" and Image matches "*reg.exe*", "RegQuery_PasswordSearch",
    "PowerSploit_CredRegistry"))))) as AlertType
| count by _time, Computer, User, Image, TargetObject, CommandLine, AlertType
| fields -_count
| sort by _time desc

high severity high confidence

Data Sources

Windows Sysmon Operational log forwarded via Sumo Logic Windows collector Sumo Logic Cloud SIEM (CSE) with Windows normalisation schema

Required Tables

_sourceCategory=*/windows/sysmon _sourceCategory=*/sysmon/operational

False Positives

Domain group policy management tools that enumerate AutoLogon registry settings across OUs to enforce policy baseline compliance
Enterprise password vault agents (Delinea Secret Server, CyberArk EPM) accessing VNC or PuTTY registry paths to rotate stored credentials
Security assessment tools such as Nessus or Qualys credential scanners that query registry-based service credentials during authenticated internal scans

Google Chronicle / SecOps

yaral

rule t1552_002_credentials_in_registry {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1552.002 - adversary access to registry-stored credentials including AutoLogon, PuTTY sessions, Outlook profiles, and VNC passwords. Also covers reg.exe and PowerSploit command-line credential hunting."
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1552.002"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1552/002/"

  events:
    (
      (
        $reg.metadata.event_type = "REGISTRY_READ" or
        $reg.metadata.event_type = "REGISTRY_MODIFICATION"
      ) and
      (
        re.regex($reg.target.registry.registry_key, `(?i).*\\Winlogon\\(DefaultPassword|AutoAdminLogon).*`) or
        re.regex($reg.target.registry.registry_key, `(?i).*SimonTatham.*`) or
        re.regex($reg.target.registry.registry_key, `(?i).*Pu[Tt]{2}Y\\Sessions.*`) or
        re.regex($reg.target.registry.registry_key, `(?i).*Outlook.*Profiles.*`) or
        re.regex($reg.target.registry.registry_key, `(?i).*(RealVNC|TightVNC|UltraVNC|WinVNC).*Password.*`)
      ) and
      not re.regex($reg.principal.process.file.full_path, `(?i).*(putty|OUTLOOK|tvnserver|vncviewer)\.exe`)
    )
    or
    (
      $reg.metadata.event_type = "PROCESS_LAUNCH" and
      (
        re.regex($reg.principal.process.file.full_path, `(?i).*\\reg\.exe`) and
        re.regex($reg.principal.process.command_line, `(?i).*query.*\/f.*(password|passwd|pwd).*`)
      ) or
      (
        re.regex($reg.principal.process.file.full_path, `(?i).*\\(powershell|pwsh)\.exe`) and
        (
          re.regex($reg.principal.process.command_line, `(?i).*(Get-RegistryAutoLogon|Find-GPOPassword|Get-SiteListPassword|Get-CachedGPPPassword).*`) or
          re.regex($reg.principal.process.command_line, `(?i).*Get-ItemProperty.*password.*`)
        )
      )
    )

  condition:
    $reg
}

high severity high confidence

Data Sources

Google Chronicle UDM with Windows Sysmon ingestion Chronicle Unified Data Model (UDM) registry and process events Windows Event Forwarding (WEF) to Chronicle via forwarder

Required Tables

UDM REGISTRY_READ events UDM REGISTRY_MODIFICATION events UDM PROCESS_LAUNCH events

False Positives

Privileged access management platforms performing scheduled discovery of registry-stored service account credentials as part of rotation and audit workflows
Endpoint management agents (SCCM, Tanium, Intune) performing inventory collection that reads registry paths containing configuration data alongside credential fields
Internal red team or vulnerability assessment exercises generating authorised credential discovery activity — correlate with change management records

CrowdStrike LogScale (CQL)

cql

// Detect direct registry reads of credential paths
#repo=base_sensor
| #event_simpleName=RegOpenKey OR #event_simpleName=RegQueryValue
| RegObjectName = /(?i)(Winlogon\\DefaultPassword|Winlogon.*AutoAdminLogon|SimonTatham|Pu[Tt]{2}Y\\Sessions|Outlook.*Profiles|(?:Real|Tight|Ultra|Win)VNC.*Password)/
| not ImageFileName = /(?i)(putty|OUTLOOK|tvnserver|vncviewer)\.exe$/
| AlertType := case {
    RegObjectName = /(?i)Winlogon/ => "AutoLogon_Credential",
    RegObjectName = /(?i)(SimonTatham|PuTTY)/ => "PuTTY_Credential",
    RegObjectName = /(?i)Outlook/ => "Outlook_Credential",
    RegObjectName = /(?i)VNC/ => "VNC_Credential",
    default => "Registry_CredentialAccess"
  }
| table([_time, ComputerName, UserName, ImageFileName, RegObjectName, AlertType])

// Detect reg.exe and PowerShell bulk credential hunting
| union {
  #repo=base_sensor
  | #event_simpleName=ProcessRollup2
  | ImageFileName = /(?i)\\(reg|powershell|pwsh)\.exe$/
  | CommandLine = /(?i)(query.*\/f.*(password|passwd|pwd)|Get-RegistryAutoLogon|Find-GPOPassword|Get-SiteListPassword|Get-CachedGPPPassword|Get-ItemProperty.*password)/
  | AlertType := case {
      ImageFileName = /(?i)reg\.exe/ => "RegQuery_PasswordSearch",
      default => "PowerSploit_CredRegistry"
    }
  | table([_time, ComputerName, UserName, ImageFileName, CommandLine, AlertType])
}
| sort(field=_time, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Sensor (base_sensor repository) Falcon Data Replicator (FDR) registry and process telemetry CrowdStrike Endpoint Detection and Response (EDR)

Required Tables

base_sensor (RegOpenKey, RegQueryValue events) base_sensor (ProcessRollup2 events)

False Positives

CrowdStrike Falcon sensor itself or other EDR agents performing registry telemetry collection that incidentally touches credential-adjacent registry paths
Enterprise single sign-on or credential synchronisation services (Okta, OneLogin agents) reading AutoLogon or Outlook profile keys to provision managed credentials
Helpdesk or remote support tools (TeamViewer, ConnectWise) accessing VNC registry configuration during legitimate remote session setup

Credentials in Registry

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections