heroui logo

Dumping of Sensitive Hives Via Reg.EXE

Sigma Rules

View Source
Summary
This detection rule identifies the usage of the Windows Registry tool "reg.exe" for dumping sensitive registry hives, specifically targeting the SAM, SYSTEM, and SECURITY hives. The rule focuses on process creation events, monitoring command line arguments associated with "reg.exe" to detect attempts to export or save critical registry information which could indicate credential theft or malicious activity. It tracks flags that might indicate intent to manipulate or extract sensitive information, particularly from high-risk registry hives, and raises alerts for any suspicious command line executions related to these actions. Legitimate use cases, such as backups or forensic analysis, are considered false positives.
Categories
  • Windows
  • Endpoint
Data Sources
  • Process
ATT&CK Techniques
  • T1003
  • T1003.002
Created: 2019-10-22