Credential Acquisition via Registry Hive Dumping

This detection identifies attempts to export registry hives containing sensitive credential information using the Windows reg.exe utility. Attackers may target the HKLM\SAM and HKLM\SECURITY hives to extract stored credentials, including password hashes and LSA secrets. The activity is often part of a broader credential access campaign. The rule focuses on detecting the execution of reg.exe with specific arguments indicating an attempt to save or export these critical registry hives. The use of reg.exe makes this technique accessible to various threat actors, including ransomware groups and nation-state actors. Defenders need to monitor for this activity to prevent unauthorized credential access and potential lateral movement within the network. This rule specifically looks for “save” and “export” arguments targeting SAM and SECURITY hives.

Attack Chain

1. An attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.
2. The attacker executes reg.exe from the command line or through a script.
3. The reg.exe command includes arguments to save or export registry hives.
4. The target registry hives are HKLM\SAM and HKLM\SECURITY, containing sensitive credential information.
5. The exported registry hive is saved to a file on disk or a network share.
6. The attacker may compress or encrypt the exported registry hive to evade detection.
7. The attacker retrieves the exported registry hive for offline analysis.
8. The attacker extracts credential information from the registry hive, such as password hashes and LSA secrets, to use in lateral movement or privilege escalation.

Impact

Successful exploitation allows attackers to acquire sensitive credentials stored within the registry. This can lead to lateral movement within the network, privilege escalation, and ultimately, data exfiltration or system compromise. Compromised credentials can be used to access critical systems and data, causing significant damage to the organization. The impact is considered high due to the potential for widespread access and control over the compromised environment.

Recommendation

• Enable process creation auditing with command line arguments to capture the execution of reg.exe with relevant arguments. (Data Source: Windows Security Event Logs, Sysmon)
• Deploy the Sigma rule Detect Registry Hive Export via Reg.exe to your SIEM to detect the execution of reg.exe with arguments indicative of registry hive dumping.
• Implement access controls and monitor file system activity to detect unauthorized access or modification of registry hive files.
• Review and restrict the use of reg.exe to authorized personnel and processes.
• Monitor for parent processes of reg.exe that are unusual or unexpected, which might indicate malicious activity.
• Investigate any alerts generated by the Sigma rule by reviewing the process command line, parent process, and destination of the exported registry hive.