| description |
|---|
Internal recon, hunting for passwords in Windows registry |
Scanning registry hives for the value password:
{% code title="attacker@victim" %}
reg query HKLM /f password /t REG_SZ /s
# or
reg query HKCU /f password /t REG_SZ /s{% endcode %}
As a defender, you may want to monitor commandline argument logs and look for any that include req query and passwordstrings:
{% embed url="https://attack.mitre.org/wiki/Technique/T1214" %}