detection.wiki

ATT&CK coverage › Technique

Unsecured Credentials: Credentials in Registry T1552.002

Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.

Events covered

5 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon12RegistryEvent (Object create and delete)
Sysmon13RegistryEvent (Value Set)
Security-Auditing4656A handle to an object was requested.
Security-Auditing4688A new process has been created.

Authoring guide

Patterns shared across the 6 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (8 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Image3ends_with 3\reg.exe, reg.exe
CommandLine3match 3\Software\TightVNC\Server, \Software\Aerofox\FoxmailPreview, \Software\SimonTatham\PuTTY\SshHostKeys\, HKCU, REG_SZ
registry_path2eq 2"*SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*"
registry_value_name2eq 2DefaultUserName, DefaultPassword, AutoAdminLogon
OriginalFileName1eq 1reg.exe
ObjectName1ends_with 1\SAM
ObjectType1eq 1Key
Details1is_not_null 1, eq 11

Top indicator values (40 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
CommandLinematchsave22
CommandLinematchexport22
CommandLinematch\Software\OpenVPN-GUI\configs22
CommandLinematch\Software\SimonTatham\PuTTY\Sessions22
CommandLinematch\Software\Aerofox\Foxmail\V3.122
CommandLinematch\Software\RimArts\B2\Settings22
CommandLinematch\Software\RealVNC\WinVNC422
CommandLinematch\Software\Aerofox\FoxmailPreview22
CommandLinematch\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin22
CommandLinematch\Software\IncrediMail\Identities22
CommandLinematch\Software\Martin Prikryl\WinSCP 2\Sessions22
CommandLinematch\Software\Qualcomm\Eudora\CommandLine22
CommandLinematch\Software\TightVNC\Server22
CommandLinematch\Software\FTPWare\COREFTP\Sites22
CommandLinematch\Software\OpenSSH\Agent\Keys22
CommandLinematch\Software\Sota\FFFTP22
CommandLinematch\Software\DownloadManager\Passwords22
CommandLinematch\Software\ORL\WinVNC3\Password22
Imageends_with\reg.exe246
registry_patheq"*SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*"22

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 4 rules

Splunk 2 rules