216.73.217.22

T1552.002: T1552.002

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:37 · Modified 25/05/2026 12:51

Essential information

MITRE technique ID
T1552.002
Confidence
100/100
Revoked
No
Published
16/12/2025 19:37
Modified
25/05/2026 12:51
Author / Source
The MITRE Corporation

Aliases

Credentials in Registry

Platforms

windows

Description

Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons. Example commands to find Registry keys related to password information: (Citation: Pentestlab Stored Credentials) * Local Machine Hive: `reg query HKLM /f password /t REG_SZ /s` * Current User Hive: `reg query HKCU /f password /t REG_SZ /s`

Kill chain phases

Kill chainPhase
mitre-attack credential-access

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.