SAM Registry Hive Handle Request
Detects handles requested to SAM registry hive
Sigma rule (View on GitHub)
1title: SAM Registry Hive Handle Request
2id: f8748f2c-89dc-4d95-afb0-5a2dfdbad332
3status: test
4description: Detects handles requested to SAM registry hive
5references:
6 - https://threathunterplaybook.com/hunts/windows/190725-SAMRegistryHiveHandleRequest/notebook.html
7author: Roberto Rodriguez @Cyb3rWard0g
8date: 2019-08-12
9modified: 2021-11-27
10tags:
11 - attack.discovery
12 - attack.t1012
13 - attack.credential-access
14 - attack.t1552.002
15logsource:
16 product: windows
17 service: security
18detection:
19 selection:
20 EventID: 4656
21 ObjectType: 'Key'
22 ObjectName|endswith: '\SAM'
23 condition: selection
24fields:
25 - ComputerName
26 - SubjectDomainName
27 - SubjectUserName
28 - ProcessName
29 - ObjectName
30falsepositives:
31 - Unknown
32level: high
References
-
Technical Context Every computer that runs Windows has its own local domain; that is, it has an account database for accounts that are specific to that computer. Conceptually,this is an account dat...
Read More
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- Azure AD Health Monitoring Agent Registry Keys Access
- Azure AD Health Service Agents Registry Keys Access
- Cisco Collect Data