
Summary
This detection rule identifies and analyzes the use of PowerShell commands that attempt to copy critical Windows registry hives, specifically the SAM, SYSTEM, and SECURITY hives. These hives are essential for credential theft, making any attempt to copy them indicative of a potential security breach. The rule uses PowerShell Script Block Logging (EventCode=4104), which logs the full commands executed by PowerShell to capture malicious activity. Upon detection, it provides statistics, including the number of occurrences and the time frame during which these commands were executed. If malicious intent is confirmed, the action could allow attackers to extract and crack user credentials, thereby facilitating unauthorized access to systems and enabling lateral movement across the network.
Categories
- Windows
- Endpoint
Data Sources
- Pod
- Script
- Application Log
ATT&CK Techniques
- T1003.002
- T1003
Created: 2024-11-13