Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions rules/credential_access_sensitive_registry_hive_dump.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
name: Sensitive registry hive dump
id: 466fae85-e319-490e-9989-a5850ebf7c33
version: 1.0.0
description: |
Identifies an attempt to dump a sensitive registry hive (SAM, SECURITY, or SYSTEM).
Adversaries dump these hives to extract cached credentials, LSA secrets, and the SAM
database offline, commonly as a precursor to tools like secretsdump.py or mimikatz's
lsadump module.
labels:
tactic.id: TA0006
tactic.name: Credential Access
tactic.ref: https://attack.mitre.org/tactics/TA0006/
technique.id: T1003
technique.name: OS Credential Dumping
technique.ref: https://attack.mitre.org/techniques/T1003/
subtechnique.id: T1003.002
subtechnique.name: Security Account Manager
subtechnique.ref: https://attack.mitre.org/techniques/T1003/002/
references:
- https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump

condition: >
sequence
maxspan 1m
by ps.uuid
|open_registry and
evt.pid != 4 and registry.path iin ('HKEY_LOCAL_MACHINE\\SYSTEM', 'HKEY_LOCAL_MACHINE\\SAM', 'HKEY_LOCAL_MACHINE\\SECURITY', 'HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets') and
ps.exe not imatches ('?:\\Windows\\System32\\svchost.exe', '?:\\Windows\\System32\\lsass.exe')
|
|create_file and
thread.callstack.symbols imatches ('KernelBase.dll!RegSaveKey*', 'advapi32.dll!RegSaveKey*') and
ps.exe not imatches
(
'?:\\Windows\\System32\\wbengine.exe',
'?:\\Windows\\System32\\wbadmin.exe',
'?:\\Windows\\System32\\vssvc.exe',
'?:\\Windows\\System32\\ntdsutil.exe',
'?:\\Windows\\CCM\\CcmExec.exe',
'?:\\Windows\\CCM\\CIAgent.exe',
'?:\\Windows\\CCM\\SMSAgentHost.exe',
'?:\\Program Files\\Veeam\\*\\*.exe',
'?:\\Program Files\\Veritas\\Backup Exec\\*.exe',
'?:\\Program Files\\Common Files\\Acronis\\*\\*.exe',
'?:\\Program Files (x86)\\Common Files\\Acronis\\*\\*.exe'
)
|

severity: high

min-engine-version: 3.0.0
Loading