Esc
Credentials in Registry - T1552.002
(ATT&CK® Technique)
Definition
Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1552002["Credentials in Registry"] --> |accesses| SystemConfigurationDatabase["System Configuration Database"]; class T1552002 OffensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode; click SystemConfigurationDatabase href "/dao/artifact/d3f:SystemConfigurationDatabase";
click T1552002 href "/offensive-technique/attack/T1552.002/"; click SystemConfigurationDatabase href "/dao/artifact/d3f:SystemConfigurationDatabase"; T1552002["Credentials in Registry"] --> |accesses| Credential["Credential"]; class T1552002 OffensiveTechniqueNode;
class Credential ArtifactNode; click Credential href "/dao/artifact/d3f:Credential";
click T1552002 href "/offensive-technique/attack/T1552.002/"; click Credential href "/dao/artifact/d3f:Credential"; SystemConfigurationPermissions["System Configuration Permissions"] -->
| restricts | SystemConfigurationDatabase["System Configuration Database"];
SystemConfigurationPermissions["System Configuration Permissions"] -.->
| may-harden | T1552002["Credentials in Registry"] ;
class SystemConfigurationPermissions DefensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode;
click SystemConfigurationPermissions href "/technique/d3f:SystemConfigurationPermissions"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| uses | Credential["Credential"];
Multi-factorAuthentication["Multi-factor Authentication"] -.->
| may-harden | T1552002["Credentials in Registry"] ;
class Multi-factorAuthentication DefensiveTechniqueNode;
class Credential ArtifactNode;
click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; CredentialTransmissionScoping["Credential Transmission Scoping"] -->
| isolates | Credential["Credential"];
CredentialTransmissionScoping["Credential Transmission Scoping"] -.->
| may-isolate | T1552002["Credentials in Registry"] ;
class CredentialTransmissionScoping DefensiveTechniqueNode;
class Credential ArtifactNode;
click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping"; ReissueCredential["Reissue Credential"] -->
| restores | Credential["Credential"];
ReissueCredential["Reissue Credential"] -.->
| may-restore | T1552002["Credentials in Registry"] ;
class ReissueCredential DefensiveTechniqueNode;
class Credential ArtifactNode;
click ReissueCredential href "/technique/d3f:ReissueCredential"; CredentialHardening["Credential Hardening"] -->
| hardens | Credential["Credential"];
CredentialHardening["Credential Hardening"] -.->
| may-harden | T1552002["Credentials in Registry"] ;
class CredentialHardening DefensiveTechniqueNode;
class Credential ArtifactNode;
click CredentialHardening href "/technique/d3f:CredentialHardening"; RestoreDatabase["Restore Database"] -->
| restores | SystemConfigurationDatabase["System Configuration Database"];
RestoreDatabase["Restore Database"] -.->
| may-restore | T1552002["Credentials in Registry"] ;
class RestoreDatabase DefensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode;
click RestoreDatabase href "/technique/d3f:RestoreDatabase"; DecoyUserCredential["Decoy User Credential"] -->
| spoofs | Credential["Credential"];
DecoyUserCredential["Decoy User Credential"] -.->
| may-deceive | T1552002["Credentials in Registry"] ;
class DecoyUserCredential DefensiveTechniqueNode;
class Credential ArtifactNode;
click DecoyUserCredential href "/technique/d3f:DecoyUserCredential"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
| analyzes | Credential["Credential"];
CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.->
| may-detect | T1552002["Credentials in Registry"] ;
class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
class Credential ArtifactNode;
click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis"; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
| deletes | Credential["Credential"];
AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.->
| may-evict | T1552002["Credentials in Registry"] ;
class AuthenticationCacheInvalidation DefensiveTechniqueNode;
class Credential ArtifactNode;
click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation"; CredentialRevocation["Credential Revocation"] -->
| deletes | Credential["Credential"];
CredentialRevocation["Credential Revocation"] -.->
| may-evict | T1552002["Credentials in Registry"] ;
class CredentialRevocation DefensiveTechniqueNode;
class Credential ArtifactNode;
click CredentialRevocation href "/technique/d3f:CredentialRevocation"; CredentialRotation["Credential Rotation"] -->
| regenerates | Credential["Credential"];
CredentialRotation["Credential Rotation"] -.->
| may-harden | T1552002["Credentials in Registry"] ;
class CredentialRotation DefensiveTechniqueNode;
class Credential ArtifactNode;
click CredentialRotation href "/technique/d3f:CredentialRotation";