{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/registry-dump/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Endgame","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Sysmon","Windows Security Event Logs","Crowdstrike"],"_cs_severities":["high"],"_cs_tags":["credential-access","registry-dump","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies attempts to export registry hives containing sensitive credential information using the Windows \u003ccode\u003ereg.exe\u003c/code\u003e utility. Attackers may target the \u003ccode\u003eHKLM\\SAM\u003c/code\u003e and \u003ccode\u003eHKLM\\SECURITY\u003c/code\u003e hives to extract stored credentials, including password hashes and LSA secrets. The activity is often part of a broader credential access campaign. The rule focuses on detecting the execution of \u003ccode\u003ereg.exe\u003c/code\u003e with specific arguments indicating an attempt to save or export these critical registry hives. The use of \u003ccode\u003ereg.exe\u003c/code\u003e makes this technique accessible to various threat actors, including ransomware groups and nation-state actors. Defenders need to monitor for this activity to prevent unauthorized credential access and potential lateral movement within the network. This rule specifically looks for \u0026ldquo;save\u0026rdquo; and \u0026ldquo;export\u0026rdquo; arguments targeting SAM and SECURITY hives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ereg.exe\u003c/code\u003e from the command line or through a script.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ereg.exe\u003c/code\u003e command includes arguments to save or export registry hives.\u003c/li\u003e\n\u003cli\u003eThe target registry hives are \u003ccode\u003eHKLM\\SAM\u003c/code\u003e and \u003ccode\u003eHKLM\\SECURITY\u003c/code\u003e, containing sensitive credential information.\u003c/li\u003e\n\u003cli\u003eThe exported registry hive is saved to a file on disk or a network share.\u003c/li\u003e\n\u003cli\u003eThe attacker may compress or encrypt the exported registry hive to evade detection.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the exported registry hive for offline analysis.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts credential information from the registry hive, such as password hashes and LSA secrets, to use in lateral movement or privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to acquire sensitive credentials stored within the registry. This can lead to lateral movement within the network, privilege escalation, and ultimately, data exfiltration or system compromise. Compromised credentials can be used to access critical systems and data, causing significant damage to the organization. The impact is considered high due to the potential for widespread access and control over the compromised environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation auditing with command line arguments to capture the execution of \u003ccode\u003ereg.exe\u003c/code\u003e with relevant arguments. (\u003ca href=\"https://ela.st/audit-process-creation\"\u003eData Source: Windows Security Event Logs, Sysmon\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Registry Hive Export via Reg.exe\u003c/code\u003e to your SIEM to detect the execution of \u003ccode\u003ereg.exe\u003c/code\u003e with arguments indicative of registry hive dumping.\u003c/li\u003e\n\u003cli\u003eImplement access controls and monitor file system activity to detect unauthorized access or modification of registry hive files.\u003c/li\u003e\n\u003cli\u003eReview and restrict the use of \u003ccode\u003ereg.exe\u003c/code\u003e to authorized personnel and processes.\u003c/li\u003e\n\u003cli\u003eMonitor for parent processes of \u003ccode\u003ereg.exe\u003c/code\u003e that are unusual or unexpected, which might indicate malicious activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by reviewing the process command line, parent process, and destination of the exported registry hive.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-24-registry-hive-dump/","summary":"Detects attempts to export sensitive Windows registry hives (SAM/SECURITY) using reg.exe, potentially leading to credential compromise.","title":"Credential Acquisition via Registry Hive Dumping","url":"https://feed.craftedsignal.io/briefs/2024-01-24-registry-hive-dump/"}],"language":"en","title":"CraftedSignal Threat Feed — Registry-Dump","version":"https://jsonfeed.org/version/1.1"}