SysKey Registry Keys Access
Detects handle requests and access operations to specific registry keys to calculate the SysKey
Sigma rule (View on GitHub)
1title: SysKey Registry Keys Access
2id: 9a4ff3b8-6187-4fd2-8e8b-e0eae1129495
3status: test
4description: Detects handle requests and access operations to specific registry keys to calculate the SysKey
5references:
6 - https://threathunterplaybook.com/hunts/windows/190625-RegKeyAccessSyskey/notebook.html
7author: Roberto Rodriguez @Cyb3rWard0g
8date: 2019-08-12
9modified: 2021-11-27
10tags:
11 - attack.discovery
12 - attack.t1012
13logsource:
14 product: windows
15 service: security
16detection:
17 selection:
18 EventID:
19 - 4656
20 - 4663
21 ObjectType: 'key'
22 ObjectName|endswith:
23 - 'lsa\JD'
24 - 'lsa\GBG'
25 - 'lsa\Skew1'
26 - 'lsa\Data'
27 condition: selection
28falsepositives:
29 - Unknown
30level: high
References
-
Technical Context Every computer that runs Windows has its own local domain; that is, it has an account database for accounts that are specific to that computer. Conceptually,this is an account dat...
Read More
Related rules
- Azure AD Health Monitoring Agent Registry Keys Access
- Azure AD Health Service Agents Registry Keys Access
- HackTool - PCHunter Execution
- Operation Wocao Activity
- Operation Wocao Activity - Security