T1552.002 CrowdStrike LogScale · LogScale

Detect Credentials in Registry in CrowdStrike LogScale

Adversaries may search the Windows Registry on compromised systems for insecurely stored credentials. The Registry stores configuration data used by programs for automatic logons, saved passwords, and service credentials. Common registry credential locations include: Windows AutoLogon (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword), PuTTY saved sessions (SOFTWARE\SimonTatham\Putty\Sessions), Outlook profiles (HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles), VNC passwords (SOFTWARE\{TightVNC,RealVNC,UltraVNC}), and SNMP community strings. TrickBot, APT32, IceApple, Valak, and StrelaStealer have all abused registry credential storage.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1552 Unsecured Credentials
Sub-technique
T1552.002 Credentials in Registry
Canonical reference
https://attack.mitre.org/techniques/T1552/002/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// Detect direct registry reads of credential paths
#repo=base_sensor
| #event_simpleName=RegOpenKey OR #event_simpleName=RegQueryValue
| RegObjectName = /(?i)(Winlogon\\DefaultPassword|Winlogon.*AutoAdminLogon|SimonTatham|Pu[Tt]{2}Y\\Sessions|Outlook.*Profiles|(?:Real|Tight|Ultra|Win)VNC.*Password)/
| not ImageFileName = /(?i)(putty|OUTLOOK|tvnserver|vncviewer)\.exe$/
| AlertType := case {
    RegObjectName = /(?i)Winlogon/ => "AutoLogon_Credential",
    RegObjectName = /(?i)(SimonTatham|PuTTY)/ => "PuTTY_Credential",
    RegObjectName = /(?i)Outlook/ => "Outlook_Credential",
    RegObjectName = /(?i)VNC/ => "VNC_Credential",
    default => "Registry_CredentialAccess"
  }
| table([_time, ComputerName, UserName, ImageFileName, RegObjectName, AlertType])

// Detect reg.exe and PowerShell bulk credential hunting
| union {
  #repo=base_sensor
  | #event_simpleName=ProcessRollup2
  | ImageFileName = /(?i)\\(reg|powershell|pwsh)\.exe$/
  | CommandLine = /(?i)(query.*\/f.*(password|passwd|pwd)|Get-RegistryAutoLogon|Find-GPOPassword|Get-SiteListPassword|Get-CachedGPPPassword|Get-ItemProperty.*password)/
  | AlertType := case {
      ImageFileName = /(?i)reg\.exe/ => "RegQuery_PasswordSearch",
      default => "PowerSploit_CredRegistry"
    }
  | table([_time, ComputerName, UserName, ImageFileName, CommandLine, AlertType])
}
| sort(field=_time, order=desc)
high severity high confidence

CrowdStrike LogScale (CQL) detection for T1552.002. Queries base_sensor repository for Falcon RegOpenKey and RegQueryValue events matching credential-bearing registry paths (AutoLogon, PuTTY, Outlook, VNC), unioned with ProcessRollup2 events for reg.exe bulk searches and PowerSploit credential harvesting commands. Results are enriched with an AlertType classification.

Data Sources

CrowdStrike Falcon Sensor (base_sensor repository)Falcon Data Replicator (FDR) registry and process telemetryCrowdStrike Endpoint Detection and Response (EDR)

Required Tables

base_sensor (RegOpenKey, RegQueryValue events)base_sensor (ProcessRollup2 events)

False Positives & Tuning

  • CrowdStrike Falcon sensor itself or other EDR agents performing registry telemetry collection that incidentally touches credential-adjacent registry paths
  • Enterprise single sign-on or credential synchronisation services (Okta, OneLogin agents) reading AutoLogon or Outlook profile keys to provision managed credentials
  • Helpdesk or remote support tools (TeamViewer, ConnectWise) accessing VNC registry configuration during legitimate remote session setup
Download portable Sigma rule (.yml)

Other platforms for T1552.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Query Registry for AutoLogon Credentials

    Expected signal: Sysmon Event ID 1: reg.exe with 'query' and 'DefaultPassword'. Security Event ID 4663 (Object Access) if registry auditing enabled for this key. The returned value (if present) is the plaintext password.

  2. Test 2Bulk Registry Password Search with reg.exe

    Expected signal: Sysmon Event ID 1: reg.exe with 'query HKLM /f password /t REG_SZ /s'. The command will iterate through the entire HKLM hive, generating multiple registry access events. Output shows all registry paths containing 'password'.

  3. Test 3Query PuTTY Saved Session Credentials

    Expected signal: Sysmon Event ID 1: reg.exe with 'query' and 'SimonTatham'. Registry access events for each PuTTY session key. Output includes HostName, UserName, and connection parameters for each saved session.

  4. Test 4PowerSploit Get-RegistryAutoLogon

    Expected signal: Sysmon Event ID 1: powershell.exe with 'Get-RegistryAutoLogon'. Sysmon Event ID 7: PowerSploit module DLL loaded. Registry access to Winlogon key. PowerShell ScriptBlock Log Event ID 4104 with function content.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1552.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1552Unsecured Credentials

Related Sub-techniques

T1552.001Credentials In FilesT1552.003Bash HistoryT1552.004Private KeysT1552.005Cloud Instance Metadata APIT1552.006Group Policy PreferencesT1552.007Container APIT1552.008Chat Messages

Related Techniques

T1552Unsecured CredentialsT1552.001Credentials In FilesT1552.006Group Policy PreferencesT1003OS Credential DumpingT1012Query RegistryT1021.001Remote Desktop ProtocolT1547.001Registry Run Keys / Startup Folder

Same Tactic: Credential Access

Popular Detections