T1552.002 Elastic Security · Elastic

Detect Credentials in Registry in Elastic Security

Adversaries may search the Windows Registry on compromised systems for insecurely stored credentials. The Registry stores configuration data used by programs for automatic logons, saved passwords, and service credentials. Common registry credential locations include: Windows AutoLogon (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword), PuTTY saved sessions (SOFTWARE\SimonTatham\Putty\Sessions), Outlook profiles (HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles), VNC passwords (SOFTWARE\{TightVNC,RealVNC,UltraVNC}), and SNMP community strings. TrickBot, APT32, IceApple, Valak, and StrelaStealer have all abused registry credential storage.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1552 Unsecured Credentials
Sub-technique
T1552.002 Credentials in Registry
Canonical reference
https://attack.mitre.org/techniques/T1552/002/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where (
  (
    event.category == "registry" and
    event.type in ("access", "query") and
    registry.path : (
      "*\\Winlogon\\DefaultPassword*",
      "*\\Winlogon\\AutoAdminLogon*",
      "*\\SimonTatham\\*",
      "*\\PuTTY\\Sessions*",
      "*\\Putty\\Sessions*",
      "*\\Outlook\\Profiles*",
      "*VNC*Password*",
      "*RealVNC*",
      "*TightVNC*",
      "*UltraVNC*"
    )
    and not process.name : ("putty.exe", "OUTLOOK.EXE", "tvnserver.exe", "vncviewer.exe")
  )
  or
  (
    event.category == "process" and
    event.type == "start" and
    process.name : ("reg.exe", "powershell.exe", "pwsh.exe") and
    (
      process.args : ("*query*") and process.args : ("*/f*") and process.args : ("*password*", "*passwd*", "*pwd*")
      or
      process.command_line : (
        "*Get-RegistryAutoLogon*",
        "*Find-GPOPassword*",
        "*Get-SiteListPassword*",
        "*Get-CachedGPPPassword*"
      )
      or
      (process.command_line : "*Get-ItemProperty*" and process.command_line : "*password*")
    )
  )
)
high severity high confidence

Detects T1552.002 credential access via the Windows Registry. Covers direct registry reads of AutoLogon, PuTTY, Outlook, and VNC credential paths, as well as command-line tools (reg.exe, PowerShell/PowerSploit) performing bulk password searches across the registry hive.

Data Sources

Windows Sysmon (Event IDs 1, 12, 13)Windows Security Event Log (Event ID 4688)Elastic Endpoint Security agent

Required Tables

logs-endpoint.events.registry-*logs-endpoint.events.process-*logs-windows.sysmon_operational-*

False Positives & Tuning

  • IT administrators running CyberArk, BeyondTrust, or Tenable credential discovery scans that legitimately enumerate registry credential stores as part of authorized PAM audits
  • PuTTY, Outlook, or VNC applications accessing their own configuration registry keys during normal startup and session management
  • PowerShell-based IT automation scripts using Get-ItemProperty to audit AutoLogon settings on domain-joined workstations during compliance checks
Download portable Sigma rule (.yml)

Other platforms for T1552.002

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Query Registry for AutoLogon Credentials

    Expected signal: Sysmon Event ID 1: reg.exe with 'query' and 'DefaultPassword'. Security Event ID 4663 (Object Access) if registry auditing enabled for this key. The returned value (if present) is the plaintext password.

  2. Test 2Bulk Registry Password Search with reg.exe

    Expected signal: Sysmon Event ID 1: reg.exe with 'query HKLM /f password /t REG_SZ /s'. The command will iterate through the entire HKLM hive, generating multiple registry access events. Output shows all registry paths containing 'password'.

  3. Test 3Query PuTTY Saved Session Credentials

    Expected signal: Sysmon Event ID 1: reg.exe with 'query' and 'SimonTatham'. Registry access events for each PuTTY session key. Output includes HostName, UserName, and connection parameters for each saved session.

  4. Test 4PowerSploit Get-RegistryAutoLogon

    Expected signal: Sysmon Event ID 1: powershell.exe with 'Get-RegistryAutoLogon'. Sysmon Event ID 7: PowerSploit module DLL loaded. Registry access to Winlogon key. PowerShell ScriptBlock Log Event ID 4104 with function content.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1552.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1552Unsecured Credentials

Related Sub-techniques

T1552.001Credentials In FilesT1552.003Bash HistoryT1552.004Private KeysT1552.005Cloud Instance Metadata APIT1552.006Group Policy PreferencesT1552.007Container APIT1552.008Chat Messages

Related Techniques

T1552Unsecured CredentialsT1552.001Credentials In FilesT1552.006Group Policy PreferencesT1003OS Credential DumpingT1012Query RegistryT1021.001Remote Desktop ProtocolT1547.001Registry Run Keys / Startup Folder

Same Tactic: Credential Access

Popular Detections