T1552.002 Splunk · SPL

Detect Credentials in Registry in Splunk

Adversaries may search the Windows Registry on compromised systems for insecurely stored credentials. The Registry stores configuration data used by programs for automatic logons, saved passwords, and service credentials. Common registry credential locations include: Windows AutoLogon (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword), PuTTY saved sessions (SOFTWARE\SimonTatham\Putty\Sessions), Outlook profiles (HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles), VNC passwords (SOFTWARE\{TightVNC,RealVNC,UltraVNC}), and SNMP community strings. TrickBot, APT32, IceApple, Valak, and StrelaStealer have all abused registry credential storage.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1552 Unsecured Credentials
Sub-technique
T1552.002 Credentials in Registry
Canonical reference
https://attack.mitre.org/techniques/T1552/002/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
(
  (EventCode=13
   (TargetObject="*\\Winlogon\\DefaultPassword*" OR TargetObject="*\\Winlogon\\AutoAdminLogon*")
  | eval AlertType="AutoLogon_Credential"
  | table _time, host, User, Image, TargetObject, Details, AlertType)
OR
  (EventCode=1
   (Image="*\\reg.exe")
   (CommandLine="*query*" AND (CommandLine="*/f password*" OR CommandLine="*/f passwd*" OR CommandLine="*/f pwd*"))
  | eval AlertType="RegQuery_PasswordSearch"
  | table _time, host, User, Image, CommandLine, AlertType)
OR
  (EventCode=1
   (Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
   (CommandLine="*Get-RegistryAutoLogon*" OR CommandLine="*Find-GPOPassword*" OR CommandLine="*Get-SiteListPassword*" OR
    CommandLine="*Get-CachedGPPPassword*" OR (CommandLine="*Get-ItemProperty*" AND CommandLine="*password*"))
  | eval AlertType="PowerSploit_CredRegistry"
  | table _time, host, User, Image, CommandLine, AlertType)
OR
  (EventCode=12 OR EventCode=13)
  (TargetObject="*SimonTatham*" OR TargetObject="*PuTTY*" OR TargetObject="*Outlook*Profiles*" OR TargetObject="*VNC*Password*")
  NOT (Image IN ("*\\putty.exe", "*\\OUTLOOK.EXE", "*\\tvnserver.exe"))
| eval AlertType="ThirdPartyCredRead"
| table _time, host, User, Image, TargetObject, AlertType
)
| sort - _time
high severity high confidence

Detects registry credential access using Sysmon events. Covers four patterns: AutoLogon DefaultPassword key access (Event 13), reg.exe password search commands (Event 1), PowerSploit credential harvesting modules (Event 1), and registry key access to third-party credential stores (PuTTY sessions, Outlook profiles, VNC passwords) from unexpected processes (Events 12/13).

Data Sources

Windows Registry: Windows Registry Key AccessProcess: Process CreationSysmon Event ID 1, 12, 13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • AutoLogon configuration tools reading/writing DefaultPassword for kiosk setup
  • PuTTY accessing its own saved session credentials
  • Microsoft Outlook accessing its own profile credential storage
  • IT inventory tools auditing registry credential storage
  • Authorized security assessment tools checking for insecure credential storage
Download portable Sigma rule (.yml)

Other platforms for T1552.002

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Query Registry for AutoLogon Credentials

    Expected signal: Sysmon Event ID 1: reg.exe with 'query' and 'DefaultPassword'. Security Event ID 4663 (Object Access) if registry auditing enabled for this key. The returned value (if present) is the plaintext password.

  2. Test 2Bulk Registry Password Search with reg.exe

    Expected signal: Sysmon Event ID 1: reg.exe with 'query HKLM /f password /t REG_SZ /s'. The command will iterate through the entire HKLM hive, generating multiple registry access events. Output shows all registry paths containing 'password'.

  3. Test 3Query PuTTY Saved Session Credentials

    Expected signal: Sysmon Event ID 1: reg.exe with 'query' and 'SimonTatham'. Registry access events for each PuTTY session key. Output includes HostName, UserName, and connection parameters for each saved session.

  4. Test 4PowerSploit Get-RegistryAutoLogon

    Expected signal: Sysmon Event ID 1: powershell.exe with 'Get-RegistryAutoLogon'. Sysmon Event ID 7: PowerSploit module DLL loaded. Registry access to Winlogon key. PowerShell ScriptBlock Log Event ID 4104 with function content.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1552.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1552Unsecured Credentials

Related Sub-techniques

T1552.001Credentials In FilesT1552.003Bash HistoryT1552.004Private KeysT1552.005Cloud Instance Metadata APIT1552.006Group Policy PreferencesT1552.007Container APIT1552.008Chat Messages

Related Techniques

T1552Unsecured CredentialsT1552.001Credentials In FilesT1552.006Group Policy PreferencesT1003OS Credential DumpingT1012Query RegistryT1021.001Remote Desktop ProtocolT1547.001Registry Run Keys / Startup Folder

Same Tactic: Credential Access

Popular Detections