Critical Hive In Suspicious Location Access Bits Cleared

Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset. This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default). Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.

Sigma rule (View on GitHub)

 1title: Critical Hive In Suspicious Location Access Bits Cleared
 2id: 39f919f3-980b-4e6f-a975-8af7e507ef2b
 3related:
 4    - id: 839dd1e8-eda8-4834-8145-01beeee33acd
 5      type: obsolete
 6status: test
 7description: |
 8    Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset.
 9    This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default).
10    Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.    
11references:
12    - https://github.com/nasbench/Misc-Research/blob/b20da2336de0f342d31ef4794959d28c8d3ba5ba/ETW/Microsoft-Windows-Kernel-General.md
13author: Florian Roth (Nextron Systems)
14date: 2017-05-15
15modified: 2024-01-18
16tags:
17    - attack.credential-access
18    - attack.t1003.002
19logsource:
20    product: windows
21    service: system
22detection:
23    selection:
24        EventID: 16
25        Provider_Name: Microsoft-Windows-Kernel-General
26        HiveName|contains:
27            - '\Temp\SAM'
28            - '\Temp\SECURITY'
29    condition: selection
30falsepositives:
31    - Unknown
32level: high

References

Related rules

to-top