
Summary
This detection rule focuses on monitoring access requests to the Security Accounts Manager (SAM) registry hive in Windows operating systems. The SAM hive is crucial as it stores information about user accounts and their associated security identifiers (SIDs), making it a prime target for attackers seeking to gain unauthorized access or elevate their privileges. The rule specifically looks for Windows Event ID 4656, which indicates that a handle to an object (in this case, the SAM registry hive) has been requested. The rule filters for events where the object type is a 'Key' and the object name ends with '\SAM', signaling a potential exploration or attack attempt on user credentials. High-risk actions that align with common attack patterns such as discovery and credential access are detected through this rule. Unusual access to the SAM registry hive should trigger alerts for further investigation to potentially block attempts at privilege escalation or credential theft.
Categories
- Windows
Data Sources
- Windows Registry
- Logon Session
- Process
Created: 2019-08-12