title: Credentials in Registry (T1552.002)
id: df00tech-t1552-002
status: experimental
description: "Adversaries may search the Windows Registry on compromised systems for insecurely stored credentials. The Registry stores configuration data used by programs for automatic logons, saved passwords, and service credentials. Common registry credential locations include: Windows AutoLogon (HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\DefaultPassword), PuTTY saved sessions (SOFTWARE\\SimonTatham\\Putty\\Sessions), Outlook profiles (HKCU\\SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles), VNC passwords (SOFTWARE\\{TightVNC,RealVNC,UltraVNC}), and SNMP community strings. TrickBot, APT32, IceApple, Valak, and StrelaStealer have all abused registry credential storage."
references:
  - https://attack.mitre.org/techniques/T1552/002/
  - https://df00tech.com/detections/T1552.002
author: df00tech
date: 2026/04/13
tags:
  - attack.t1552.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - AutoLogon configuration tools legitimately reading/writing DefaultPassword for kiosk or service account auto-logon setup
  - PuTTY and SSH client applications accessing their own saved session credentials for connection
  - Microsoft Outlook and email clients accessing their own profile credential storage
  - IT inventory and compliance tools that audit registry settings including credential storage configuration
  - Security assessment tools explicitly authorized to check for insecure credential storage in the registry
level: high