Critical Hive In Suspicious Location Access Bits Cleared
Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset. This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default). Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.
Sigma rule (View on GitHub)
1title: Critical Hive In Suspicious Location Access Bits Cleared
2id: 39f919f3-980b-4e6f-a975-8af7e507ef2b
3related:
4 - id: 839dd1e8-eda8-4834-8145-01beeee33acd
5 type: obsoletes
6status: test
7description: |
8 Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset.
9 This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default).
10 Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.
11references:
12 - https://github.com/nasbench/Misc-Research/blob/b20da2336de0f342d31ef4794959d28c8d3ba5ba/ETW/Microsoft-Windows-Kernel-General.md
13author: Florian Roth (Nextron Systems)
14date: 2017/05/15
15modified: 2024/01/18
16tags:
17 - attack.credential_access
18 - attack.t1003.002
19logsource:
20 product: windows
21 service: system
22detection:
23 selection:
24 EventID: 16
25 Provider_Name: Microsoft-Windows-Kernel-General
26 HiveName|contains:
27 - '\Temp\SAM'
28 - '\Temp\SECURITY'
29 condition: selection
30falsepositives:
31 - Unknown
32level: high
References
Related rules
- HackTool - Quarks PwDump Execution
- Dumping of Sensitive Hives Via Reg.EXE
- Potential SAM Database Dump
- Antivirus Password Dumper Detection
- Cred Dump Tools Dropped Files