| ID | Name |
|---|---|
| ATAGS-T1126.001 | Chat Messages |
| ATAGS-T1126.002 | Cloud Instance Metadata API |
| ATAGS-T1126.003 | Container API |
| ATAGS-T1126.004 | Credentials In Files |
| ATAGS-T1126.005 | Credentials in Registry |
| ATAGS-T1126.006 | Group Policy Preferences |
| ATAGS-T1126.007 | Private Keys |
| ATAGS-T1126.008 | Shell History |
Threat Actors may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Threat Actors may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.