Credentials in Registry (T1552.002)

Information

• Name: Credentials in Registry

• ID: T1552.002

• Tactics:

• Technique:

Introduction

Credentials in Registry (T1552.002) is a sub-technique within the MITRE ATT&CK framework, categorized under the Credential Access tactic. It involves adversaries storing or extracting credentials—such as usernames, passwords, hashes, or tokens—from the Windows Registry. Attackers frequently leverage this sub-technique to maintain persistence, escalate privileges, and facilitate lateral movement across compromised networks. The Registry, being a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems, is a prime target due to its central role in system operations and its ability to store sensitive information.

Deep Dive Into Technique

Attackers utilize various methods to exploit the Windows Registry for credential storage and retrieval:

• Direct Registry Storage: Attackers directly store credentials (plaintext or encoded) within registry keys and values. These keys can be hidden in obscure locations or mimic legitimate system entries to evade detection.

• Extraction of Stored Credentials: Sensitive credentials stored by legitimate applications or system components (such as VPN clients, remote desktop applications, or third-party programs) in the registry can be targeted and extracted.

• Registry Hive Files: Attackers may extract and analyze registry hive files (e.g., SAM, SECURITY, SYSTEM hives) offline to recover hashed passwords or other credential artifacts.

• Persistence and Obfuscation: Attackers can use the registry to store credentials persistently, enabling them to remain hidden and evade standard detection methods. Registry keys can be obfuscated, encrypted, or encoded to further complicate detection.

• Common Registry Locations Exploited:

  • HKEY_LOCAL_MACHINE\SAM: Stores hashed passwords for local accounts.

  • HKEY_LOCAL_MACHINE\SECURITY\Cache: Contains cached domain credentials.

  • HKEY_CURRENT_USER\Software: Often used by applications to store credentials in plaintext or encoded form.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon: May contain credentials or credential-related settings.

Attackers typically use tools such as Mimikatz, Registry Editor (regedit.exe), PowerShell scripts, and custom malware to exploit registry-stored credentials.

When this Technique is Usually Used

This sub-technique commonly appears during multiple stages of an attack lifecycle, including:

• Credential Access Stage: Attackers extract credentials from registry hives or registry-stored application data to escalate privileges or pivot to other systems.

• Persistence Stage: Attackers store credentials in registry keys to maintain long-term access, allowing them to easily re-authenticate without raising suspicion.

• Lateral Movement Stage: Registry-stored credentials enable attackers to move laterally across the network, using legitimate credentials to access other hosts or services.

• Defense Evasion Stage: Attackers leverage obscure or encrypted registry entries to evade detection by security tools that rely on traditional file-based indicators.

Attack scenarios include:

• Compromising administrative accounts by extracting cached credentials from registry hives.

• Harvesting credentials from third-party applications storing passwords insecurely in the registry.

• Persistently storing stolen credentials within registry keys for re-use in future attacks.

How this Technique is Usually Detected

Detection of credential storage or extraction from the registry typically involves multiple layers of monitoring and analysis:

• Registry Monitoring Tools:

  • Sysmon (System Monitor) configured to log registry key creation, modification, and deletion.

  • Endpoint Detection and Response (EDR) solutions that detect suspicious registry access patterns or unusual credential-related entries.

• Behavioral Analytics and Anomaly Detection:

  • Monitoring unexpected or anomalous registry activity, such as frequent access to sensitive registry hives (SAM, SECURITY, SYSTEM).

  • Identifying abnormal processes (such as PowerShell, reg.exe, or unknown executables) interacting with credential-related registry keys.

• Log Analysis and Alerting:

  • Windows Event Logs, particularly security logs, to detect unauthorized registry access or hive extraction.

  • Centralized logging solutions (SIEM) to correlate registry activities with other suspicious behaviors.

• Threat Hunting Techniques:

  • Proactively searching for unusual or suspicious registry entries, especially in locations known to store credentials.

  • Investigating registry keys with encoded or encrypted data that could represent stored credentials.

Indicators of Compromise (IoCs):

• Suspicious registry keys or values in unusual locations containing encoded or plaintext credentials.

• Registry access by suspicious or unauthorized processes (e.g., unknown executables, scripts, or administrative tools used at unusual times).

• Extraction or copying of registry hive files (SAM, SECURITY, SYSTEM) to external locations or temporary folders.

Why it is Important to Detect This Technique

Early detection of credential storage or extraction from the registry is critical due to potential severe impacts, including:

• Privilege Escalation: Attackers gaining administrative privileges by extracting and cracking password hashes stored in registry hives.

• Persistence: Attackers maintaining long-term access to compromised systems by storing credentials in hidden registry keys, complicating remediation efforts.

• Lateral Movement: Credentials harvested from the registry can enable attackers to move throughout the network undetected, compromising additional hosts and services.

• Data Exfiltration: Attackers with valid credentials can easily access sensitive data, leading to data breaches, intellectual property theft, or unauthorized disclosure of sensitive information.

• Operational Impact: Organizations may experience significant disruption, compliance violations, reputational damage, and financial loss resulting from credential compromise.

Detecting this sub-technique early allows security teams to:

• Respond promptly, limiting attacker dwell time and lateral movement.

• Prevent further credential compromise and mitigate potential breaches.

• Strengthen security posture by improving credential management practices and monitoring capabilities.

Examples

Real-world examples of adversaries exploiting credentials stored in the registry:

• APT29 (Cozy Bear):

  • Known to use Mimikatz to extract credentials from registry hives (SAM, SECURITY) to escalate privileges and move laterally.

  • Leveraged registry keys to store stolen credentials persistently, enabling continued access to compromised networks.

• FIN6 Cybercriminal Group:

  • Extracted cached domain credentials from registry hives to facilitate lateral movement and compromise payment processing systems in retail environments.

• TrickBot Malware:

  • Harvested credentials stored by third-party applications (e.g., browsers, email clients) in registry keys, enabling financial fraud and lateral movement within enterprise networks.

• Agent Tesla Malware:

  • Frequently targeted registry-stored credentials from FTP clients, web browsers, and email applications, exfiltrating data to attacker-controlled servers for espionage and financial gain.

Attack scenarios typically involve:

• Initial compromise through phishing or exploit kits.

• Deployment of credential extraction tools (e.g., Mimikatz) to access registry-stored credentials.

• Use of stolen credentials to escalate privileges, maintain persistence, and move laterally across the network.

• Exfiltration of sensitive data or further compromise of critical infrastructure and systems.