Auto Admin Logon Enabled via Registry

About the rule

Rule Type

Standard

Rule Description

Detects registry changes enabling automatic administrator logon, exposing credentials and enabling unauthorized access.

Why this rule?

Enabling automatic administrator logon through registry modification stores credentials in plaintext or easily reversible format, creating a critical security vulnerability that attackers exploit to obtain privileged credentials, maintain persistent access, and bypass normal authentication controls. This configuration is particularly dangerous because it allows anyone with physical or remote access to the system to automatically authenticate with administrator privileges without providing credentials, enables credential harvesting through simple registry queries, and violates security best practices across all compliance frameworks including PCI-DSS, NIST, CIS benchmarks, and HIPAA.

Severity

Trouble

Rule journey

Attack chain scenario

Credential Access, Persistence → Registry Modification → Auto Admin Logon Enabled → Unauthorized Access.

Impact

Exposes administrator credentials through registry, enabling unauthorized access and potential lateral movement.

Rule Requirement

Prerequisites

Enable registry auditing or Sysmon Event ID 13 (Registry value modification).

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Persistence: Modify Registry (T1112) Defense Evasion: Modify Registry (T1112)

Future actions

Known False Positives

IT Admin might perform this action legitimately, recommended to add filter as required based on your environment.

Next Steps

1. Identification: Identify which credentials were stored in the registry.
2. Analysis: Determine if this configuration was authorized or malicious.
3. Response: Remove plaintext credentials from registry and rotate affected passwords.

Mitigation