T1214: Credentials in Registry

Internal recon, hunting for passwords in Windows registry

Execution
Scanning registry hives for the value password:
attacker@victim
reg query HKLM /f password /t REG_SZ /s
# or
reg query HKCU /f password /t REG_SZ /s
Observations
As a defender, you may want to monitor commandline argument logs and look for any that include req query and passwordstrings:
References
Unsecured Credentials: Credentials in Registry, Sub-technique T1552.002 - Enterprise | MITRE ATT&CK®
attack.mitre.org

Reading DPAPI Encrypted Secrets with Mimikatz and C++

T1174: Password Filter

Last updated 2 years ago