Detect Credentials in Registry in Sumo Logic CSE
Adversaries may search the Windows Registry on compromised systems for insecurely stored credentials. The Registry stores configuration data used by programs for automatic logons, saved passwords, and service credentials. Common registry credential locations include: Windows AutoLogon (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword), PuTTY saved sessions (SOFTWARE\SimonTatham\Putty\Sessions), Outlook profiles (HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles), VNC passwords (SOFTWARE\{TightVNC,RealVNC,UltraVNC}), and SNMP community strings. TrickBot, APT32, IceApple, Valak, and StrelaStealer have all abused registry credential storage.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1552 Unsecured Credentials
- Sub-technique
- T1552.002 Credentials in Registry
- Canonical reference
- https://attack.mitre.org/techniques/T1552/002/
Sumo Detection Query
(_sourceCategory="*/windows/sysmon" OR _sourceCategory="*/sysmon/operational")
| json auto
| where EventCode in ("1", "12", "13")
| where (
(EventCode in ("12", "13") and (
TargetObject matches "*\\Winlogon\\DefaultPassword*" OR
TargetObject matches "*\\Winlogon\\AutoAdminLogon*" OR
TargetObject matches "*SimonTatham*" OR
TargetObject matches "*PuTTY*" OR
TargetObject matches "*Putty*" OR
TargetObject matches "*Outlook*Profiles*" OR
TargetObject matches "*VNC*Password*" OR
TargetObject matches "*RealVNC*" OR
TargetObject matches "*TightVNC*" OR
TargetObject matches "*UltraVNC*"
) and not (
Image matches "*\\putty.exe" OR
Image matches "*\\OUTLOOK.EXE" OR
Image matches "*\\tvnserver.exe"
))
OR
(EventCode = "1" and (
(Image matches "*\\reg.exe" and CommandLine matches "*query*" and (
CommandLine matches "*/f password*" OR
CommandLine matches "*/f passwd*" OR
CommandLine matches "*/f pwd*"
)) OR
((Image matches "*\\powershell.exe" OR Image matches "*\\pwsh.exe") and (
CommandLine matches "*Get-RegistryAutoLogon*" OR
CommandLine matches "*Find-GPOPassword*" OR
CommandLine matches "*Get-SiteListPassword*" OR
CommandLine matches "*Get-CachedGPPPassword*" OR
(CommandLine matches "*Get-ItemProperty*" and CommandLine matches "*password*")
))
))
)
| if (EventCode in ("12","13") and TargetObject matches "*Winlogon*", "AutoLogon_Credential",
if (EventCode in ("12","13") and (TargetObject matches "*SimonTatham*" or TargetObject matches "*PuTTY*"), "PuTTY_Credential",
if (EventCode in ("12","13") and TargetObject matches "*Outlook*Profiles*", "Outlook_Credential",
if (EventCode in ("12","13") and TargetObject matches "*VNC*", "VNC_Credential",
if (EventCode = "1" and Image matches "*reg.exe*", "RegQuery_PasswordSearch",
"PowerSploit_CredRegistry"))))) as AlertType
| count by _time, Computer, User, Image, TargetObject, CommandLine, AlertType
| fields -_count
| sort by _time descSumo Logic detection for T1552.002 credential registry access. Parses Sysmon operational logs for registry events (EventCode 12/13) targeting AutoLogon, PuTTY, Outlook, and VNC credential paths, and process events (EventCode 1) for reg.exe and PowerShell-based credential harvesting commands. Enriches each alert with a categorised AlertType field.
Data Sources
Required Tables
False Positives & Tuning
- Domain group policy management tools that enumerate AutoLogon registry settings across OUs to enforce policy baseline compliance
- Enterprise password vault agents (Delinea Secret Server, CyberArk EPM) accessing VNC or PuTTY registry paths to rotate stored credentials
- Security assessment tools such as Nessus or Qualys credential scanners that query registry-based service credentials during authenticated internal scans
Other platforms for T1552.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Query Registry for AutoLogon Credentials
Expected signal: Sysmon Event ID 1: reg.exe with 'query' and 'DefaultPassword'. Security Event ID 4663 (Object Access) if registry auditing enabled for this key. The returned value (if present) is the plaintext password.
- Test 2Bulk Registry Password Search with reg.exe
Expected signal: Sysmon Event ID 1: reg.exe with 'query HKLM /f password /t REG_SZ /s'. The command will iterate through the entire HKLM hive, generating multiple registry access events. Output shows all registry paths containing 'password'.
- Test 3Query PuTTY Saved Session Credentials
Expected signal: Sysmon Event ID 1: reg.exe with 'query' and 'SimonTatham'. Registry access events for each PuTTY session key. Output includes HostName, UserName, and connection parameters for each saved session.
- Test 4PowerSploit Get-RegistryAutoLogon
Expected signal: Sysmon Event ID 1: powershell.exe with 'Get-RegistryAutoLogon'. Sysmon Event ID 7: PowerSploit module DLL loaded. Registry access to Winlogon key. PowerShell ScriptBlock Log Event ID 4104 with function content.
References (6)
- https://attack.mitre.org/techniques/T1552/002/
- https://pentestlab.blog/2017/04/19/stored-credentials/
- https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md
- https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1
- https://www.trendmicro.com/en_us/research/19/b/trickbot-adds-new-features-targets-energy-enterprises.html
Unlock Pro Content
Get the full detection package for T1552.002 including response playbook, investigation guide, and atomic red team tests.