Detect Credentials in Registry in Microsoft Sentinel
Adversaries may search the Windows Registry on compromised systems for insecurely stored credentials. The Registry stores configuration data used by programs for automatic logons, saved passwords, and service credentials. Common registry credential locations include: Windows AutoLogon (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword), PuTTY saved sessions (SOFTWARE\SimonTatham\Putty\Sessions), Outlook profiles (HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles), VNC passwords (SOFTWARE\{TightVNC,RealVNC,UltraVNC}), and SNMP community strings. TrickBot, APT32, IceApple, Valak, and StrelaStealer have all abused registry credential storage.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1552 Unsecured Credentials
- Sub-technique
- T1552.002 Credentials in Registry
- Canonical reference
- https://attack.mitre.org/techniques/T1552/002/
KQL Detection Query
// Detect registry credential access and search
let CredentialRegistryKeys = dynamic([
"Winlogon", "DefaultPassword", "AutoAdminLogon",
"SimonTatham", "Putty", "PuTTY",
"Outlook\\Profiles", "IMAP Password", "POP3 Password",
"VNC", "RealVNC", "TightVNC", "UltraVNC",
"WinVNC", "password", "Password"
]);
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in ("RegistryKeyQueried", "RegistryValueQueried")
| where RegistryKey has_any (CredentialRegistryKeys)
| extend IsAutoLogon = RegistryKey has "Winlogon" and (RegistryValueName has "Password" or RegistryValueName has "AutoAdminLogon")
| extend IsPutty = RegistryKey has_any ("SimonTatham", "PuTTY", "Putty")
| extend IsOutlook = RegistryKey has "Outlook" and RegistryKey has "Profiles"
| extend IsVNC = RegistryKey has_any ("VNC", "RealVNC", "TightVNC", "UltraVNC")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RegistryKey, RegistryValueName,
InitiatingProcessFileName, InitiatingProcessCommandLine,
IsAutoLogon, IsPutty, IsOutlook, IsVNC
| union (
// Detect reg.exe bulk registry search for passwords
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("reg.exe", "powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (
"query HKLM /f password", "query HKCU /f password",
"query HKLM /f passwd", "query HKCU /f passwd",
"Get-ItemProperty", "Get-RegistryAutoLogon", "Find-GPOPassword"
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
)
| sort by Timestamp descDetects registry credential access via two patterns: direct registry value queries to known credential-storing registry keys (AutoLogon DefaultPassword, PuTTY saved sessions, Outlook profiles, VNC passwords); and process command lines performing bulk registry searches for passwords using reg.exe query, PowerShell Get-ItemProperty, or PowerSploit modules like Get-RegistryAutoLogon. Uses DeviceRegistryEvents and DeviceProcessEvents.
Data Sources
Required Tables
False Positives & Tuning
- AutoLogon configuration tools legitimately reading/writing DefaultPassword for kiosk or service account auto-logon setup
- PuTTY and SSH client applications accessing their own saved session credentials for connection
- Microsoft Outlook and email clients accessing their own profile credential storage
- IT inventory and compliance tools that audit registry settings including credential storage configuration
- Security assessment tools explicitly authorized to check for insecure credential storage in the registry
Other platforms for T1552.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Query Registry for AutoLogon Credentials
Expected signal: Sysmon Event ID 1: reg.exe with 'query' and 'DefaultPassword'. Security Event ID 4663 (Object Access) if registry auditing enabled for this key. The returned value (if present) is the plaintext password.
- Test 2Bulk Registry Password Search with reg.exe
Expected signal: Sysmon Event ID 1: reg.exe with 'query HKLM /f password /t REG_SZ /s'. The command will iterate through the entire HKLM hive, generating multiple registry access events. Output shows all registry paths containing 'password'.
- Test 3Query PuTTY Saved Session Credentials
Expected signal: Sysmon Event ID 1: reg.exe with 'query' and 'SimonTatham'. Registry access events for each PuTTY session key. Output includes HostName, UserName, and connection parameters for each saved session.
- Test 4PowerSploit Get-RegistryAutoLogon
Expected signal: Sysmon Event ID 1: powershell.exe with 'Get-RegistryAutoLogon'. Sysmon Event ID 7: PowerSploit module DLL loaded. Registry access to Winlogon key. PowerShell ScriptBlock Log Event ID 4104 with function content.
References (6)
- https://attack.mitre.org/techniques/T1552/002/
- https://pentestlab.blog/2017/04/19/stored-credentials/
- https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md
- https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1
- https://www.trendmicro.com/en_us/research/19/b/trickbot-adds-new-features-targets-energy-enterprises.html
Unlock Pro Content
Get the full detection package for T1552.002 including response playbook, investigation guide, and atomic red team tests.