Detect Credentials in Registry in IBM QRadar
Adversaries may search the Windows Registry on compromised systems for insecurely stored credentials. The Registry stores configuration data used by programs for automatic logons, saved passwords, and service credentials. Common registry credential locations include: Windows AutoLogon (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword), PuTTY saved sessions (SOFTWARE\SimonTatham\Putty\Sessions), Outlook profiles (HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles), VNC passwords (SOFTWARE\{TightVNC,RealVNC,UltraVNC}), and SNMP community strings. TrickBot, APT32, IceApple, Valak, and StrelaStealer have all abused registry credential storage.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1552 Unsecured Credentials
- Sub-technique
- T1552.002 Credentials in Registry
- Canonical reference
- https://attack.mitre.org/techniques/T1552/002/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
LOGSOURCENAME(logsourceid) AS log_source,
sourceip AS host_ip,
username,
"EventID" AS event_id,
COALESCE("TargetObject", '') AS registry_target,
COALESCE("Image", '') AS process_image,
COALESCE("CommandLine", '') AS command_line,
CASE
WHEN "TargetObject" ILIKE '%Winlogon%DefaultPassword%' OR "TargetObject" ILIKE '%Winlogon%AutoAdminLogon%' THEN 'AutoLogon_Credential'
WHEN "TargetObject" ILIKE '%SimonTatham%' OR "TargetObject" ILIKE '%PuTTY%' THEN 'PuTTY_Credential'
WHEN "TargetObject" ILIKE '%Outlook%Profiles%' THEN 'Outlook_Credential'
WHEN "TargetObject" ILIKE '%VNC%' THEN 'VNC_Credential'
WHEN "CommandLine" ILIKE '%query%/f password%' OR "CommandLine" ILIKE '%query%/f passwd%' THEN 'RegQuery_PasswordSearch'
WHEN "CommandLine" ILIKE '%Get-RegistryAutoLogon%' OR "CommandLine" ILIKE '%Find-GPOPassword%' THEN 'PowerSploit_CredRegistry'
ELSE 'Registry_CredentialAccess'
END AS alert_type
FROM events
WHERE
LOGSOURCETYPEID = 432
AND starttime > DATEADD('hour', -24, NOW())
AND (
(
"EventID" IN (12, 13)
AND (
"TargetObject" ILIKE '%\Winlogon\DefaultPassword%'
OR "TargetObject" ILIKE '%\Winlogon\AutoAdminLogon%'
OR "TargetObject" ILIKE '%SimonTatham%'
OR "TargetObject" ILIKE '%PuTTY%'
OR "TargetObject" ILIKE '%Putty%'
OR "TargetObject" ILIKE '%Outlook%Profiles%'
OR "TargetObject" ILIKE '%VNC%Password%'
OR "TargetObject" ILIKE '%RealVNC%'
OR "TargetObject" ILIKE '%TightVNC%'
OR "TargetObject" ILIKE '%UltraVNC%'
)
AND NOT "Image" ILIKE '%\putty.exe'
AND NOT "Image" ILIKE '%\OUTLOOK.EXE'
AND NOT "Image" ILIKE '%\tvnserver.exe'
)
OR
(
"EventID" = 1
AND "Image" ILIKE '%\reg.exe'
AND "CommandLine" ILIKE '%query%'
AND (
"CommandLine" ILIKE '%/f password%'
OR "CommandLine" ILIKE '%/f passwd%'
OR "CommandLine" ILIKE '%/f pwd%'
)
)
OR
(
"EventID" = 1
AND (
"Image" ILIKE '%\powershell.exe'
OR "Image" ILIKE '%\pwsh.exe'
)
AND (
"CommandLine" ILIKE '%Get-RegistryAutoLogon%'
OR "CommandLine" ILIKE '%Find-GPOPassword%'
OR "CommandLine" ILIKE '%Get-SiteListPassword%'
OR "CommandLine" ILIKE '%Get-CachedGPPPassword%'
OR ("CommandLine" ILIKE '%Get-ItemProperty%' AND "CommandLine" ILIKE '%password%')
)
)
)
ORDER BY starttime DESCQRadar AQL query detecting T1552.002 registry credential theft. Monitors Sysmon EventIDs 12/13 (registry access/modification) targeting known credential registry paths (AutoLogon, PuTTY, Outlook, VNC) and Sysmon EventID 1 (process create) for reg.exe bulk password searches and PowerSploit credential harvesting functions.
Data Sources
Required Tables
False Positives & Tuning
- Authorized IT asset management or PAM solutions (CyberArk, Delinea) performing scheduled registry credential discovery across the fleet as part of privileged access governance
- PuTTY, TightVNC, or Outlook processes querying their own registry keys at launch — exclude by filtering Image path against the known application binary
- Internal PowerShell-based compliance scripts that use Get-ItemProperty to verify Windows AutoLogon is disabled or report on its current state
Other platforms for T1552.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Query Registry for AutoLogon Credentials
Expected signal: Sysmon Event ID 1: reg.exe with 'query' and 'DefaultPassword'. Security Event ID 4663 (Object Access) if registry auditing enabled for this key. The returned value (if present) is the plaintext password.
- Test 2Bulk Registry Password Search with reg.exe
Expected signal: Sysmon Event ID 1: reg.exe with 'query HKLM /f password /t REG_SZ /s'. The command will iterate through the entire HKLM hive, generating multiple registry access events. Output shows all registry paths containing 'password'.
- Test 3Query PuTTY Saved Session Credentials
Expected signal: Sysmon Event ID 1: reg.exe with 'query' and 'SimonTatham'. Registry access events for each PuTTY session key. Output includes HostName, UserName, and connection parameters for each saved session.
- Test 4PowerSploit Get-RegistryAutoLogon
Expected signal: Sysmon Event ID 1: powershell.exe with 'Get-RegistryAutoLogon'. Sysmon Event ID 7: PowerSploit module DLL loaded. Registry access to Winlogon key. PowerShell ScriptBlock Log Event ID 4104 with function content.
References (6)
- https://attack.mitre.org/techniques/T1552/002/
- https://pentestlab.blog/2017/04/19/stored-credentials/
- https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md
- https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1
- https://www.trendmicro.com/en_us/research/19/b/trickbot-adds-new-features-targets-energy-enterprises.html
Unlock Pro Content
Get the full detection package for T1552.002 including response playbook, investigation guide, and atomic red team tests.