> For the complete documentation index, see [llms.txt](https://www.ired.team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/t1214-credentials-in-registry.md).

# Credentials in Registry

## Execution

Scanning registry hives for the value `password`:

{% code title="attacker\@victim" %}

```csharp
reg query HKLM /f password /t REG_SZ /s
# or
reg query HKCU /f password /t REG_SZ /s
```

{% endcode %}

## Observations

As a defender, you may want to monitor commandline argument logs and look for any that include `req query` and `password`strings:

![](/files/-LK6zKzHNSh8NEFrM0wW)

## References

{% embed url="<https://attack.mitre.org/wiki/Technique/T1214>" %}
