DET0250: Detect Credential Discovery via Windows Registry Enumeration
This detection strategy matters because credentials left in the Windows Registry can turn one compromised endpoint into broader identity compromise. Even t...
Analyst context for executives and security teams
This detection strategy matters because credentials left in the Windows Registry can turn one compromised endpoint into broader identity compromise. Even though MITRE does not provide detection details for DET0250, its relationship to ATT&CK technique T1552.002 makes the defensive question clear: can the organization see and investigate unusual Registry access that may indicate credential discovery?
Executive priority
Prioritize this as an identity and incident-readiness validation item. Leaders should ask whether endpoint logging, SOC triage, and incident response playbooks can prove when systems are queried for Registry-stored credentials, especially where automatic logon, services, or applications may have stored secrets insecurely. The business value is reducing lateral movement opportunity and improving evidence quality during credential-access investigations.
Technical view
DET0250 is a detection strategy for Credential Discovery via Windows Registry Enumeration and detects T1552.002, Credentials in Registry, under credential-access. Because the official object provides no detection logic, teams should validate coverage against Windows Registry query/enumeration activity involving locations where credentials or password-related configuration may be stored. Focus on whether telemetry can distinguish normal administrative, software, or service activity from suspicious enumeration across Registry paths and keys associated with stored credentials.
Likely telemetry
- Windows Registry access/query telemetry from endpoints
- Process execution telemetry showing command-line or tool activity that queries the Registry
- Endpoint detection and response events involving Registry enumeration
- Windows security or system logs where Registry auditing is enabled
- Asset and software context to identify legitimate administrative or application-driven Registry access
Detection direction
- Confirm that Registry query/enumeration events are actually collected from Windows systems relevant to credential risk.
- Correlate Registry access with process name, command line, user context, host role, and timing to separate administration from suspicious discovery behavior.
- Tune for unusual or broad searches for password, credential, autologon, service, or application secret-related Registry content without relying on keyword matching alone.
- Review false positives from system management tools, installers, troubleshooting scripts, security products, and legitimate administrators.
- Use the relationship to T1552.002 to connect alerts to credential-access investigations and follow-on identity risk review.
Mitigation priorities
- Inventory and reduce insecure credential storage in the Windows Registry where found.
- Review use of automatic logon or application/service configurations that may place secrets in Registry-accessible locations.
- Limit administrative privileges and Registry access paths where business operations allow.
- Enable and retain sufficient endpoint and Registry-related telemetry to support SOC triage and IR evidence needs.
- Ensure IR playbooks include credential reset, host containment, and scope validation when Registry credential discovery is suspected.
Analyst notes and limits
The supplied MITRE object is a detection strategy, not a full technique description, and it has no official description or detection text. The strongest supported context comes from its relationship to T1552.002, Credentials in Registry, which is a Windows credential-access behavior. Local environment baselines are essential because legitimate administration and software behavior can resemble Registry enumeration.
No official detection logic, platforms, tactics, or description are provided directly on DET0250. Platform and tactic context are inferred only from the supplied relationship to T1552.002. This take does not assert active exploitation, attribution, impact, or existing detection coverage.
Detect Credential Discovery via Windows Registry Enumeration
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1552.002 | Credentials in Registry Sub-technique | This object detects Credentials in Registry. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4f6b75e76975… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0250Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.