title: Registry Credential Enumeration
description: Detect enumeration and discovery of credentials within the Registry, including Putty sessions.
author: keyboardcrunch
date: 10/10/2020
modified: null
mitre:
   tactic: Credential Access
   technique: T1552
   subtechnique: 002
operating_system: windows
query: TgtProcCmdline ContainsCIS "query HKLM /f password /t REG_SZ /s" OR TgtProcCmdline
  ContainsCIS "query HKCU /f password /t REG_SZ /s" OR TgtProcCmdline ContainsCIS
  "query HKCU\Software\SimonTatham\PuTTY\Sessions /t REG_SZ /s"
false_positives: null
tags: null