Credentials in Registry

Internal recon, hunting for passwords in Windows registry

Execution

Scanning registry hives for the value password:

attacker@victim

reg query HKLM /f password /t REG_SZ /s
# or
reg query HKCU /f password /t REG_SZ /s

As a defender, you may want to monitor commandline argument logs and look for any that include req query and passwordstrings:

Last updated 6 years ago