Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1552.002: Credentials in Registry

Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.

Example commands to find Registry keys related to password information: [1]

* Local Machine Hive: reg query HKLM /f password /t REG_SZ /s * Current User Hive: reg query HKCU /f password /t REG_SZ /s

EnterpriseT1552.002Sub-techniqueObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Credentials in Registry matters because a compromised Windows endpoint may expose passwords or auto-logon secrets that were stored for convenience by users, services, or applications. For leaders, the risk is not just one host being accessed; it is that a local compromise can become a credential-access event that enables broader account misuse if registry-stored secrets are unmanaged or unaudited.

Executive priority

Prioritize this as a Windows credential hygiene and monitoring issue. Ask whether privileged and service accounts are allowed to store reusable credentials in the Registry, whether audit evidence can show registry enumeration on sensitive systems, and whether incident responders can quickly determine which accounts may need password reset or privilege review after a host compromise. This supports IAM, compliance readiness, and incident decision-making without assuming any specific exposure in the environment.

Technical view

This is a credential-access sub-technique under Unsecured Credentials for Windows. SOC and IR teams should validate visibility into suspicious Registry enumeration, especially broad searches of HKLM/HKCU for password-related values and use of native tooling such as Reg, as well as PowerShell or malware-linked behaviors where locally observed. ATT&CK provides no official detection text for this object, but the related detection strategy DET0250 indicates a focus on credential discovery via Windows Registry enumeration. Relationship context also shows use by multiple groups and software families, so detections should treat the behavior as technique-driven rather than actor-specific.

Likely telemetry

  • Windows process creation telemetry showing registry utilities, PowerShell, or other command interpreters interacting with Registry hives
  • Command-line arguments or script block content indicating broad Registry searches for credential-related strings
  • Registry access auditing for sensitive keys where enabled and operationally feasible
  • Endpoint detection and response telemetry correlating process lineage, user context, host role, and Registry enumeration volume
  • Authentication and account activity logs to assess whether discovered credentials may have been reused after host compromise

Detection direction

  • Validate whether DET0250-style logic exists for Windows Registry credential discovery rather than relying only on malware signatures.
  • Tune for broad or unusual Registry enumeration patterns, especially searches across HKLM or HKCU for password-related values, while accounting for legitimate administration, inventory, and troubleshooting activity.
  • Correlate Registry search activity with process parentage, user privilege level, remote execution indicators, and subsequent authentication behavior to reduce false positives.
  • Check blind spots: endpoints without process command-line logging, disabled PowerShell logging, limited Registry auditing, or unmanaged servers may miss the decisive evidence.
  • Use relationship context for enrichment only; do not require a specific group or malware family match to alert on the behavior.

Mitigation priorities

  • Start with privileged account management: restrict and review privileged account use, enforce least privilege, and monitor privileged account activity.
  • Apply password policy controls that reduce credential reuse and the value of any credential recovered from a local system.
  • Audit systems and configurations for insecurely stored credentials, especially auto-logon or application/service secrets in the Registry.
  • Where Registry-stored credentials are found, remove or replace them with more controlled account and secret-management practices appropriate to the environment.
  • Ensure incident response playbooks include account scoping, credential rotation decisions, and evidence preservation when Registry credential discovery is suspected.
Analyst notes and limits

The most useful defensive question is whether the organization can distinguish legitimate Registry administration from credential-focused enumeration on Windows systems. Native tools such as Reg can be legitimate, so context, scope, user role, and follow-on authentication activity are important. Related mitigations are M1026 Privileged Account Management, M1027 Password Policies, and M1047 Audit.

The ATT&CK object does not provide official detection guidance, and the supplied data does not identify specific Registry keys beyond general password-related searches. Local baselines, enabled Windows logging, EDR coverage, and application-specific credential storage practices are required to assess real exposure and detection quality.

Official MITRE ATT&CK definition

Credentials in Registry

Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.

Example commands to find Registry keys related to password information: [1]

* Local Machine Hive: reg query HKLM /f password /t REG_SZ /s * Current User Hive: reg query HKCU /f password /t REG_SZ /s

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Enterprise T1552 Unsecured Credentials This object subtechnique of Unsecured Credentials.
Enterprise T1214 Credentials in Registry Credentials in Registry revoked by this object.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0050: APT32

APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.[1][2][3]

Group Enterprise

G1055: VOID MANTICORE

VOID MANTICORE is a threat group assessed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS).[1] Active since at least mid-2022, VOID MANTICORE has targeted government entities, critical infrastructure, and private sector organizations across Albania, Israel, and the United States.[1][2] VOID MANTICORE conducts destructive cyber operations, combining wiper attacks with hack-and-leak campaigns. The group has operated under multiple public-facing personas, including HomeLand Justice in operations against Albania, Karma and Karma Below in campaigns targeting Israeli organizations, and Handala Hack, its current primary persona, which has claimed activity against Israeli and U.S. entities, including a March 2026 attack against Stryker Corporation.[1][3] VOID MANTICORE has been observed collaborating with Scarred Manticore, which has been linked to initial access operations preceding VOID MANTICORE’s activity.[4]

Group Enterprise

G1039: RedCurl

RedCurl is a threat actor active since 2018 notable for corporate espionage targeting a variety of locations, including Ukraine, Canada and the United Kingdom, and a variety of industries, including but not limited to travel agencies, insurance companies, and banks.[1] RedCurl is allegedly a Russian-speaking threat actor.[1][2] The group’s operations typically start with spearphishing emails to gain initial access, then the group executes discovery and collection commands and scripts to find corporate data. The group concludes operations by exfiltrating files to the C2 servers.

Tool Enterprise

S0075: Reg

Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. [1]

Utilities such as Reg are known to be used by persistent threats. [2]

Windows
Tool Enterprise

S0194: PowerSploit

PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. [1] [2] [3]

Windows
Malware Enterprise

S1022: IceApple

IceApple is a modular Internet Information Services (IIS) post-exploitation framework, that has been used since at least 2021 against the technology, academic, and government sectors.[1]

Windows
Malware Enterprise

S1183: StrelaStealer

StrelaStealer is an information stealer malware variant first identified in November 2022 and active through late 2024. StrelaStealer focuses on the automated identification, collection, and exfiltration of email credentials from email clients such as Outlook and Thunderbird.[1][2][3][4]

Windows
Malware Enterprise

S0266: TrickBot

TrickBot is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to Dyre. TrickBot was developed and initially used by Wizard Spider for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of "big game hunting" ransomware campaigns.[1][2][3][4]

Windows
Malware Enterprise

S0476: Valak

Valak is a multi-stage modular malware that can function as a standalone information stealer or downloader, first observed in 2019 targeting enterprises in the US and Germany.[1][2]

Windows
Relationship explorer

All related ATT&CK context

uses · Tool S0075: Reg Enterprise mitigates · Mitigation M1027: Password Policies Enterprise mitigates · Mitigation M1026: Privileged Account Management Enterprise uses · Tool S0194: PowerSploit Enterprise uses · Group G0050: APT32 Enterprise uses · Malware S1022: IceApple Enterprise uses · Malware S1183: StrelaStealer Enterprise uses · Group G1055: VOID MANTICORE Enterprise uses · Malware S0266: TrickBot Enterprise uses · Malware S0476: Valak Enterprise mitigates · Mitigation M1047: Audit Enterprise subtechnique of · Technique T1552: Unsecured Credentials Enterprise revoked by · Technique T1214: Credentials in Registry Enterprise detects · Detection Strategy DET0250: Detect Credential Discovery via Windows Registry Enumeration Enterprise uses · Group G1039: RedCurl Enterprise uses · Malware S0331: Agent Tesla Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1027: Password Policies

Set and enforce secure password policies for accounts to reduce the likelihood of unauthorized access. Strong password policies include enforcing password complexity, requiring regular password changes, and preventing password reuse. This mitigation can be implemented through the following measures:

Windows Systems:

- Use Group Policy Management Console (GPMC) to configure: - Minimum password length (e.g., 12+ characters). - Password complexity requirements. - Password history (e.g., disallow last 24 passwords). - Account lockout duration and thresholds.

Linux Systems:

- Configure Pluggable Authentication Modules (PAM): - Use `pam_pwquality` to enforce complexity and length requirements. - Implement `pam_tally2` or `pam_faillock` for account lockouts. - Use `pwunconv` to disable password reuse.

Password Managers:

- Enforce usage of enterprise password managers (e.g., Bitwarden, 1Password, LastPass) to generate and store strong passwords.

Password Blacklisting:

- Use tools like Have I Been Pwned password checks or NIST-based blacklist solutions to prevent users from setting compromised passwords.

Regular Auditing:

- Periodically audit password policies and account configurations to ensure compliance using tools like LAPS (Local Admin Password Solution) and vulnerability scanners.

*Tools for Implementation*

Windows:

- Group Policy Management Console (GPMC): Enforce password policies. - Microsoft Local Administrator Password Solution (LAPS): Enforce random, unique admin passwords.

Linux/macOS:

- PAM Modules (pam_pwquality, pam_tally2, pam_faillock): Enforce password rules. - Lynis: Audit password policies and system configurations.

Cross-Platform:

- Password Managers (Bitwarden, 1Password, KeePass): Manage and enforce strong passwords. - Have I Been Pwned API: Prevent the use of breached passwords. - NIST SP 800-63B compliant tools: Enforce password guidelines and blacklisting.

Mitigation Enterprise

M1026: Privileged Account Management

Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through the following measures:

Account Permissions and Roles:

- Implement RBAC and least privilege principles to allocate permissions securely. - Use tools like Active Directory Group Policies to enforce access restrictions.

Credential Security:

- Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials. - Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO).

Multi-Factor Authentication (MFA):

- Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA.

Privileged Access Management (PAM):

- Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access.

Auditing and Monitoring:

- Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage.

Just-In-Time Access:

- Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions.

*Tools for Implementation*

Privileged Access Management (PAM):

- CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.

Credential Management:

- Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass.

Multi-Factor Authentication:

- Duo Security, Okta, Microsoft Azure MFA, Google Authenticator.

Linux Privilege Management:

- sudo configuration, SELinux, AppArmor.

Just-In-Time Access:

- Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.

Mitigation Enterprise

M1047: Audit

Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements. The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures.

Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.This mitigation can be implemented through the following measures:

System Audit:

- Use Case: Regularly assess system configurations to ensure compliance with organizational security policies. - Implementation: Use tools to scan for deviations from established benchmarks.

Permission Audits:

- Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation. - Implementation: Run access reviews to identify users or groups with excessive permissions.

Software Audits:

- Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector. - Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.

Configuration Audits:

- Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA). - Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.

Network Audits:

- Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections. - Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
2d9497a0c6a2e6de...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle 2d9497a0c6a2…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Pentestlab Stored Credentials

    netbiosX. (2017, April 19). Stored Credentials. Retrieved April 6, 2018.

    Open source URL
  2. [2]
    mitre-attack T1552.002
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use