
Summary
This rule aims to identify attempts to export sensitive registry hives that may contain credential information on Windows systems, specifically through the use of the `reg.exe` tool. The rule works by monitoring for the execution of `reg.exe` with commands typically employed for dumping the SECURITY and SAM hives, which store cached credentials. Registry dump operations can lead to credential theft when attackers extract sensitive information from these hives, particularly when combined with the SYSTEM hive. The rule performs checks on the process execution state, filtering for successful invocations of the command to save or export these hives. It also incorporates triage and response guidance, including investigation steps for potential malicious activity, analyzing user behavior, and remediating actions if a compromise is suspected. False positives are addressed by considering legitimate administrative activities involving registry hive exports. The detection is valuable as part of a broader strategy to prevent unauthorized access to credential information and respond effectively to potential security incidents.
Categories
- Windows
- Endpoint
Data Sources
- Process
- Windows Registry
- Application Log
- Network Traffic
- Active Directory
ATT&CK Techniques
- T1003
- T1003.002
- T1003.004
Created: 2020-11-23