Credentials in Registry
Internal recon, hunting for passwords in Windows registry

Execution

Scanning registry hives for the value password:
1
reg query HKLM /f password /t REG_SZ /s
2
# or
3
reg query HKCU /f password /t REG_SZ /s
Copied!

Observations

As a defender, you may want to monitor commandline argument logs and look for any that include req query and passwordstrings:

References

Unsecured Credentials: Credentials in Registry, Sub-technique T1552.002 - Enterprise | MITRE ATT&CK®
Last modified 2yr ago