- Home
- Correlation Rule Library
- Credential Theft from SAM via Registry Hive Dump
Credential Theft from SAM via Registry Hive Dump
Rule added on 30th May, 2024In this page
Rule type:
Correlation
Rule description:
The Security Account Manager (SAM) is a database file on Windows operating systems that stores usernames and passwords.
Attackers may attempt to steal these credentials from the SECURITY hive using various techniques, such as exporting the registry hive by using the Windows reg.exe tool.
Attack chain scenario: Phishing -> Unauthorized access -> Registry hive dump -> Credential theft
Impact:
It can impact the organizations in the following ways:
- Credential theft
- Privilege escalation
- Network breach
Data source:
Windows > Process Creation
Required configuration: The rule is based on the process creation and termination. Prerequisites required are installing and configuring Sysmon, enabling audit process creation audit policy, and the command line auditing.
Relevant MITRE ATT&CK techniques and tactics:
Tactic: TA0006- Credential Access
Technique: T1003- OS Credential Dumping
Sub Techniques: T1003.002-Security Account Manager, T1003.004- LSA Secrets
Criteria:
( ( Process Name ends with reg.exe ) OR ( Original File Name ends with "reg.exe" ) ) AND ( ( Command Line contains "save" ) OR ( Command Line contains "export" ) ) AND ( ( Command Line contains "hklm\sam" ) OR ( Command Line contains "hklm\system" ) OR ( Command Line contains "hklm\security" ) OR ( Command Line contains "hklm\\sam" ) OR ( Command Line contains "hklm\\system" ) OR ( Command Line contains "hklm\\security" ) )
reg.exe - Manages the registry data such as importing the data, querying the registry for a specific information.
save - Saves the current state of a registry key to a file.
export - Exports the registry key and its value to a file.
hklm\sam - A registry path referring to SAM database.
hklm\security - A registry path referring to SECURITY database.
When to enable this rule:
Enabling this rule will help you meet the security standard's requirement listed below:
Security standards (NIST CSF 2.0):
DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events
When this rule is triggered, you're notified when a potential attempt to export a registry hive which may contain credentials using the Windows reg.exe tool has occurred.This enables you to review access and permissions, take corrective actions, and monitor the use of reg.exe.
Known false positives: This event may be generated when administrators use it for administrative purposes, such as while performing legitimate manual backups.
Next steps:
When this alert is triggered, the following measures can be implemented:
- Identification: Identify if the alert is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
- Response: Respond promptly by initiating an automated workflow to cease the malicious process.
- Deploy access controls: Implement access controls and permissions to restrict the execution of reg.exe by unauthorized users.
