DefaultUser And Password added In Registry
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
|---|---|---|---|---|
DefaultUser And Password added In Registry | Standard | Sysmon, Windows | Persistence: Modify Registry (T1112) Defense Evasion: Modify Registry (T1112) Credential Access: Unsecured Credentials - Credentials in Registry (T1552.002) | Trouble |
About the rule
Rule Type
Standard
Rule Description
Detects storage of default username and password in the Windows registry, exposing plaintext credentials for reuse or lateral movement.
Why this rule?
Storing default usernames and passwords in the Windows registry represents one of the most severe credential management vulnerabilities, as it exposes plaintext or weakly encoded credentials that attackers can extract through simple registry queries, memory dumps, or automated credential harvesting tools without requiring complex exploitation techniques. Attackers who discover these stored credentials gain immediate access to user accounts, can perform lateral movement across networks using stolen credentials, establish persistent access through credential reuse, and potentially escalate privileges if administrative credentials are stored. This misconfiguration violates fundamental security principles, fails compliance audits (PCI-DSS explicitly prohibits storing plaintext credentials), and provides attackers with an easy path from initial compromise to full domain control when combined with privileged account credentials stored in the same location.
Severity
Trouble
Rule journey
Attack chain scenario
Credential Access, Persistence → Registry Modification → Plaintext Credentials Stored → Credential Theft → Lateral Movement.
Impact
Plaintext credentials stored in registry enable credential theft and potential lateral movement across the network.
Rule Requirement
Prerequisites
Enable registry auditing or Sysmon Event ID 13 (Registry value modification).
Criteria
Action1: actionname = "Registry Event" AND (( OBJECTNAME contains "Microsoft\Windows NT\CurrentVersion\Winlogon" ) AND ( OBJECTNAME endswith "DefaultUserName" OR OBJECTVALUENAME = "DefaultUserName" OR OBJECTNAME endswith "DefaultPassword" OR OBJECTVALUENAME = "DefaultPassword" )) select Action1.HOSTNAME,Action1.MESSAGE,Action1.PROCESSNAME,Action1.OBJECTNAME,Action1.OBJECTVALUENAME,Action1.ACCESSES,Action1.USERNAME,Action1.DOMAIN,Action1.PREVVAL,Action1.CHANGES,Action1.INFORMATION
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Persistence: Modify Registry (T1112) Defense Evasion: Modify Registry (T1112) Credential Access: Unsecured Credentials - Credentials in Registry (T1552.002)
Future actions
Known False Positives
IT Admin might perform this action legitimately, recommended to add filter as required based on your environment.
Next Steps
- Identification: Identify which credentials were stored in the registry.
- Analysis: Determine if this configuration was authorized or malicious.
- Response: Remove plaintext credentials from registry and rotate affected passwords.
Mitigation
ID | Mitigation | Description |
|---|---|---|
Proactively search for credentials within the Registry and attempt to remediate the risk. | ||
Do not store credentials within the Registry. | ||
If it is necessary that software must store credentials in the Registry, then ensure the associated accounts have limited permissions so they cannot be abused if obtained by an adversary. | ||
Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation. |
