Detect Credentials in Registry in Google Chronicle
Adversaries may search the Windows Registry on compromised systems for insecurely stored credentials. The Registry stores configuration data used by programs for automatic logons, saved passwords, and service credentials. Common registry credential locations include: Windows AutoLogon (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword), PuTTY saved sessions (SOFTWARE\SimonTatham\Putty\Sessions), Outlook profiles (HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles), VNC passwords (SOFTWARE\{TightVNC,RealVNC,UltraVNC}), and SNMP community strings. TrickBot, APT32, IceApple, Valak, and StrelaStealer have all abused registry credential storage.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1552 Unsecured Credentials
- Sub-technique
- T1552.002 Credentials in Registry
- Canonical reference
- https://attack.mitre.org/techniques/T1552/002/
YARA-L Detection Query
rule t1552_002_credentials_in_registry {
meta:
author = "Argus Detection Engineering"
description = "Detects T1552.002 - adversary access to registry-stored credentials including AutoLogon, PuTTY sessions, Outlook profiles, and VNC passwords. Also covers reg.exe and PowerSploit command-line credential hunting."
mitre_attack_tactic = "Credential Access"
mitre_attack_technique = "T1552.002"
severity = "HIGH"
priority = "HIGH"
reference = "https://attack.mitre.org/techniques/T1552/002/"
events:
(
(
$reg.metadata.event_type = "REGISTRY_READ" or
$reg.metadata.event_type = "REGISTRY_MODIFICATION"
) and
(
re.regex($reg.target.registry.registry_key, `(?i).*\\Winlogon\\(DefaultPassword|AutoAdminLogon).*`) or
re.regex($reg.target.registry.registry_key, `(?i).*SimonTatham.*`) or
re.regex($reg.target.registry.registry_key, `(?i).*Pu[Tt]{2}Y\\Sessions.*`) or
re.regex($reg.target.registry.registry_key, `(?i).*Outlook.*Profiles.*`) or
re.regex($reg.target.registry.registry_key, `(?i).*(RealVNC|TightVNC|UltraVNC|WinVNC).*Password.*`)
) and
not re.regex($reg.principal.process.file.full_path, `(?i).*(putty|OUTLOOK|tvnserver|vncviewer)\.exe`)
)
or
(
$reg.metadata.event_type = "PROCESS_LAUNCH" and
(
re.regex($reg.principal.process.file.full_path, `(?i).*\\reg\.exe`) and
re.regex($reg.principal.process.command_line, `(?i).*query.*\/f.*(password|passwd|pwd).*`)
) or
(
re.regex($reg.principal.process.file.full_path, `(?i).*\\(powershell|pwsh)\.exe`) and
(
re.regex($reg.principal.process.command_line, `(?i).*(Get-RegistryAutoLogon|Find-GPOPassword|Get-SiteListPassword|Get-CachedGPPPassword).*`) or
re.regex($reg.principal.process.command_line, `(?i).*Get-ItemProperty.*password.*`)
)
)
)
condition:
$reg
}Chronicle YARA-L 2.0 rule detecting T1552.002 registry credential access. Uses UDM REGISTRY_READ and REGISTRY_MODIFICATION event types to match credential-bearing registry key paths (AutoLogon, PuTTY, Outlook, VNC) and PROCESS_LAUNCH events to catch reg.exe bulk searches and PowerSploit harvesting cmdlets. Excludes legitimate application self-access.
Data Sources
Required Tables
False Positives & Tuning
- Privileged access management platforms performing scheduled discovery of registry-stored service account credentials as part of rotation and audit workflows
- Endpoint management agents (SCCM, Tanium, Intune) performing inventory collection that reads registry paths containing configuration data alongside credential fields
- Internal red team or vulnerability assessment exercises generating authorised credential discovery activity — correlate with change management records
Other platforms for T1552.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Query Registry for AutoLogon Credentials
Expected signal: Sysmon Event ID 1: reg.exe with 'query' and 'DefaultPassword'. Security Event ID 4663 (Object Access) if registry auditing enabled for this key. The returned value (if present) is the plaintext password.
- Test 2Bulk Registry Password Search with reg.exe
Expected signal: Sysmon Event ID 1: reg.exe with 'query HKLM /f password /t REG_SZ /s'. The command will iterate through the entire HKLM hive, generating multiple registry access events. Output shows all registry paths containing 'password'.
- Test 3Query PuTTY Saved Session Credentials
Expected signal: Sysmon Event ID 1: reg.exe with 'query' and 'SimonTatham'. Registry access events for each PuTTY session key. Output includes HostName, UserName, and connection parameters for each saved session.
- Test 4PowerSploit Get-RegistryAutoLogon
Expected signal: Sysmon Event ID 1: powershell.exe with 'Get-RegistryAutoLogon'. Sysmon Event ID 7: PowerSploit module DLL loaded. Registry access to Winlogon key. PowerShell ScriptBlock Log Event ID 4104 with function content.
References (6)
- https://attack.mitre.org/techniques/T1552/002/
- https://pentestlab.blog/2017/04/19/stored-credentials/
- https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md
- https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1
- https://www.trendmicro.com/en_us/research/19/b/trickbot-adds-new-features-targets-energy-enterprises.html
Unlock Pro Content
Get the full detection package for T1552.002 including response playbook, investigation guide, and atomic red team tests.