Potential Remote Credential Access via Registry

This detection identifies potential remote access to the Windows registry to dump credential data from the Security Account Manager (SAM) registry hive. This activity often precedes credential access and privilege elevation attempts. The rule focuses on detecting the creation of specific file types by svchost.exe, a legitimate Windows process, in temporary directories. However, when svchost.exe creates files with registry file (REGF) header bytes in temporary locations, and those files are also of a significant size, it indicates a potential secretsdump-style attack. The rule is designed for data generated by Elastic Defend.

Attack Chain

1. Attacker gains initial access to the target system via compromised credentials or exploiting a vulnerability.
2. Attacker uses remote registry tools or scripts, such as those based on Impacket’s secretsdump.py, to connect to the target system’s registry service.
3. The attacker initiates a connection to the RemoteRegistry service.
4. The svchost.exe process on the target system is leveraged to access the SAM, SECURITY, and SYSTEM registry hives.
5. svchost.exe creates a temporary file (e.g., a .tmp file) in the \Windows\System32\ or \WINDOWS\Temp\ directory.
6. The temporary file contains the contents of the registry hive, identifiable by the “72656766” (REGF) header bytes and a file size greater than 30000 bytes.
7. The attacker retrieves the dumped registry hive files from the target system.
8. The attacker parses the registry hives offline to extract sensitive credential information, such as password hashes. This leads to lateral movement and privilege escalation.

Impact

A successful attack allows adversaries to extract sensitive credentials, including password hashes, from the compromised system. This can lead to lateral movement within the network, privilege escalation, and ultimately, domain compromise. The extraction of credentials provides the attacker with persistent access and the ability to move undetected through the environment.

Recommendation

• Deploy the Sigma rule Suspicious Svchost.exe Registry Hive Dump to detect the creation of registry hive files by svchost.exe in temporary directories based on the file.Ext.header_bytes and file.path fields.
• Deploy the Sigma rule Suspicious RemoteRegistry File Creation to detect files with REGF header bytes created by svchost.exe, outside the standard system path to catch unusual service context.
• Enable and monitor process creation events, specifically focusing on svchost.exe and its command-line arguments, to identify suspicious service groups.
• Monitor file creation events for files with the .tmp extension in the \Windows\System32\ and \WINDOWS\Temp\ directories, paying attention to file sizes and header bytes, as indicated by the file path and size conditions in the rule.
• Review the investigation steps outlined in the rule documentation to properly triage and analyze potential incidents.