Credential Acquisition via Registry Hive Dumping

  1[metadata]
  2creation_date = "2020/11/23"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2026/04/22"
  6
  7[rule]
  8author = ["Elastic"]
  9description = "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool."
 10from = "now-9m"
 11index = [
 12    "endgame-*",
 13    "logs-crowdstrike.fdr*",
 14    "logs-endpoint.events.process-*",
 15    "logs-m365_defender.event-*",
 16    "logs-sentinel_one_cloud_funnel.*",
 17    "logs-system.security*",
 18    "logs-windows.forwarded*",
 19    "logs-windows.sysmon_operational-*",
 20    "winlogbeat-*",
 21]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "Credential Acquisition via Registry Hive Dumping"
 25references = [
 26    "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8",
 27    "https://www.elastic.co/security-labs/detect-credential-access",
 28]
 29risk_score = 73
 30rule_id = "a7e7bfa3-088e-4f13-b29e-3986e0e756b8"
 31severity = "high"
 32tags = [
 33    "Domain: Endpoint",
 34    "OS: Windows",
 35    "Use Case: Threat Detection",
 36    "Tactic: Credential Access",
 37    "Resources: Investigation Guide",
 38    "Data Source: Elastic Endgame",
 39    "Data Source: Elastic Defend",
 40    "Data Source: Windows Security Event Logs",
 41    "Data Source: Microsoft Defender XDR",
 42    "Data Source: SentinelOne",
 43    "Data Source: Sysmon",
 44    "Data Source: Crowdstrike",
 45]
 46timestamp_override = "event.ingested"
 47type = "eql"
 48
 49query = '''
 50process where host.os.type == "windows" and event.type == "start" and
 51 (?process.pe.original_file_name == "reg.exe" or process.name : "reg.exe") and
 52 process.args : ("save", "export") and
 53 process.args : ("hklm\\sam", "hklm\\security")
 54'''
 55
 56note = """## Triage and analysis
 57
 58### Investigating Credential Acquisition via Registry Hive Dumping
 59
 60#### Possible investigation steps
 61
 62- What exact hive-export behavior did the alert capture?
 63  - Focus: `process.command_line`, `process.executable`, `process.pe.original_file_name`, and `process.code_signature.subject_name`.
 64  - Implication: escalate if the command saves or exports SAM or SECURITY to temp, public, admin-share, UNC, removable, or deceptive paths; lower suspicion only when the signed Microsoft reg.exe identity, destination, and export set fit the same recognized backup, recovery, forensic, or break-glass workflow. Identity alone never clears the export.
 65
 66- Does the parent and session context explain why credential-bearing hives were exported?
 67  - Focus: `process.parent.executable`, `process.parent.command_line`, `process.Ext.session_info.logon_type`, and `user.id`.
 68  - Hint: If the parent is generic and lineage remains unclear, expand ancestry before accepting a maintenance explanation.
 69  - Implication: escalate when an interactive shell, script host, RMM tool, service account, remote-style session, or unexpected user initiated the export; lower suspicion when the same user or service identity, parent workflow, and session type recur for a recognized backup, recovery, forensic, or break-glass process.
 70
 71- Did the alert parent launch accompanying SYSTEM export, staging, transfer, cleanup, or alternate dump commands?
 72  - Focus: process events from the alert parent and reg.exe children, using `process.parent.entity_id`, `process.parent.pid`, `process.executable`, and `process.command_line`. $investigate_2 $investigate_3
 73  - Hint: If `process.parent.entity_id` is absent, use the `host.id` + alert `process.parent.pid` branch in a tight alert-time window; if reg.exe spawned a helper, pivot from alert `process.entity_id` to child `process.parent.entity_id`.
 74  - Hint: If file or network telemetry is available, recover file activity and connections for reg.exe and its children to identify hive output, archives, share writes, removable-media staging, or off-host transfer. Missing network telemetry is unresolved, not benign. $investigate_4 $investigate_5
 75  - Implication: escalate when the same parent exports SYSTEM, packages, copies, deletes, or transfers hive output, or launches vssadmin.exe, diskshadow.exe, or shadow-copy paths to continue dumping outside this rule; absence of same-parent support reduces staging evidence but does not clear the original export.
 76
 77- Does the host role or hive combination raise credential-exposure severity?
 78  - Focus: `host.id`, `host.name`, and `process.command_line`, plus asset or case records only as corroboration.
 79  - Hint: Do not infer privileged role from `host.name` alone.
 80  - Implication: raise urgency when asset context or host history identifies a jump host, backup node, admin workstation, server, or shared management platform, or when same-parent process review confirms SYSTEM was exported with SAM or SECURITY; lower urgency only when the host role and export set fit the same recognized workflow.
 81
 82- If local evidence remains suspicious or unresolved, does related alert scope show broader credential-access activity?
 83  - Focus: related alerts for the same `user.id` and `host.id`, looking for credential dumping, archiving, privilege escalation, persistence, or lateral movement.
 84  - Hint: Start with same-user alerts. $investigate_0
 85  - Hint: Compare same-host alerts. $investigate_1
 86  - Implication: broaden scope and credential review when related alerts show complementary abuse; keep the case local when related alert scope is quiet and local telemetry already binds the export to one recognized workflow.
 87
 88- Based on the evidence gathered, what disposition is supported?
 89  - Focus: binary identity, hive targets and output path, parent/session context, same-parent or child-process activity, host exposure, and related-alert scope.
 90  - Implication: escalate when an unrecognized SAM or SECURITY export has a risky destination, suspicious lineage or session, follow-on staging, privileged-host exposure, or related credential-access alerts; close only when the same evidence categories bind one exact recognized workflow on this host, with outside confirmation if telemetry cannot prove legitimacy; preserve artifacts and escalate when evidence is mixed or incomplete.
 91
 92### False positive analysis
 93
 94- Backup, recovery, forensic, or break-glass workflows can legitimately export SAM or SECURITY hives. Confirm that the signed Microsoft utility identity, command-line hive and destination pattern, parent workflow, session context, `user.id`, `host.id`, host role, and same-parent or child-process activity all align with the same workflow. If telemetry cannot prove legitimacy, use case records, change records, or owner confirmation only as corroboration for that exact activity. If any evidence dimension contradicts the workflow, do not close as benign.
 95- Before creating an exception, validate that the same `process.executable`, `process.code_signature.subject_name`, `process.parent.command_line`, `process.command_line` hive/destination pattern, `user.id`, and `host.id` recur across prior alerts from this rule. Build from that minimum confirmed pattern. Avoid exceptions on `process.name`, reg.exe, the hive name, or the host alone.
 96
 97### Response and remediation
 98
 99- If confirmed benign, reverse any temporary restriction and document the recognized utility path, hive/destination pattern, parent and session context, `user.id`, `host.id`, host role, and corroborating case evidence that justified closure. Create an exception only if that same pattern recurs consistently across prior alerts from this rule.
100- If suspicious but unconfirmed, preserve the alert record, process tree, `process.entity_id`, `process.command_line`, output path named in the command, same-parent or child-process command lines, session context, `user.id`, and `host.id` before containment or cleanup. Apply reversible containment tied to the findings, such as temporary share restriction or limited outbound access for the affected host; escalate to host isolation or account action only if staging, transfer commands, related alerts, or host criticality justify the impact.
101- If confirmed malicious, preserve the same evidence set, then isolate the host if its role can tolerate it and the findings show unauthorized hive export or movement risk. Contain the responsible account only when the user/session evidence indicates account misuse. Terminate the process only after evidence capture if it is still running.
102- Scope exposure from the copied material: SAM implies local account hash exposure; SECURITY implies LSA secret or cached-credential exposure; a same-parent SYSTEM export makes offline decryption more plausible and should raise urgency.
103- Before deleting or rotating anything, review related `host.id` and `user.id` activity for the same command patterns, hive-copy names, archive names, share paths, transfer commands, and alternate copy methods such as vssadmin.exe, diskshadow.exe, or raw shadow-copy access. Then remove only the unauthorized dump scripts, archives, copied hive files, and persistence mechanisms identified during the investigation, and remediate the access path that allowed the export.
104- Post-incident hardening: restrict hive export activity to recognized recovery or forensic workflows, document the confirmed `process.command_line` and destination patterns behind any exception, and retain process telemetry needed to distinguish future recovery work from repeated abuse.
105"""
106
107setup = """## Setup
108
109This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
110
111Setup instructions: https://ela.st/install-elastic-defend
112
113### Additional data sources
114
115This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
116
117- [CrowdStrike](https://ela.st/crowdstrike-integration)
118- [Microsoft Defender XDR](https://ela.st/m365-defender)
119- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
120- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
121- [Windows Process Creation Logs](https://ela.st/audit-process-creation)
122"""
123
124[rule.investigation_fields]
125field_names = [
126    "@timestamp",
127    "host.id",
128    "host.name",
129    "user.name",
130    "user.id",
131    "process.entity_id",
132    "process.executable",
133    "process.command_line",
134    "process.pe.original_file_name",
135    "process.parent.entity_id",
136    "process.parent.pid",
137    "process.parent.executable",
138    "process.parent.command_line",
139    "process.code_signature.subject_name",
140    "process.Ext.session_info.logon_type",
141]
142
143[[transform.investigate]]
144label = "Alerts associated with the user"
145description = ""
146providers = [
147  [
148    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
149    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
150  ]
151]
152relativeFrom = "now-48h/h"
153relativeTo = "now"
154
155[[transform.investigate]]
156label = "Alerts associated with the host"
157description = ""
158providers = [
159  [
160    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
161    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
162  ]
163]
164relativeFrom = "now-48h/h"
165relativeTo = "now"
166
167[[transform.investigate]]
168label = "Processes from same parent as alert"
169description = ""
170providers = [
171  [
172    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
173    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string" },
174    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" }
175  ],
176  [
177    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
178    { excluded = false, field = "process.parent.pid", queryType = "phrase", value = "{{process.parent.pid}}", valueType = "string" },
179    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" }
180  ]
181]
182relativeFrom = "now-1h"
183relativeTo = "now"
184
185[[transform.investigate]]
186label = "Child processes of reg.exe"
187description = ""
188providers = [
189  [
190    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
191    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
192    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" }
193  ]
194]
195relativeFrom = "now-1h"
196relativeTo = "now"
197
198[[transform.investigate]]
199label = "File activity for reg.exe and children"
200description = ""
201providers = [
202  [
203    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
204    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
205    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
206  ],
207  [
208    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
209    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
210    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
211  ]
212]
213relativeFrom = "now-1h"
214relativeTo = "now"
215
216[[transform.investigate]]
217label = "Network activity for reg.exe and children"
218description = ""
219providers = [
220  [
221    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
222    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
223    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }
224  ],
225  [
226    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
227    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
228    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }
229  ]
230]
231relativeFrom = "now-1h"
232relativeTo = "now"
233
234[[rule.threat]]
235framework = "MITRE ATT&CK"
236[[rule.threat.technique]]
237id = "T1003"
238name = "OS Credential Dumping"
239reference = "https://attack.mitre.org/techniques/T1003/"
240[[rule.threat.technique.subtechnique]]
241id = "T1003.002"
242name = "Security Account Manager"
243reference = "https://attack.mitre.org/techniques/T1003/002/"
244
245[[rule.threat.technique.subtechnique]]
246id = "T1003.004"
247name = "LSA Secrets"
248reference = "https://attack.mitre.org/techniques/T1003/004/"
249
250[rule.threat.tactic]
251id = "TA0006"
252name = "Credential Access"
253reference = "https://attack.mitre.org/tactics/TA0006/"