Dumping of Sensitive Hives Via Reg.EXE

 1title: Dumping of Sensitive Hives Via Reg.EXE
 2id: fd877b94-9bb5-4191-bb25-d79cbd93c167
 3related:
 4    - id: 038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e
 5      type: obsolete
 6    - id: 4d6c9da1-318b-4edf-bcea-b6c93fa98fd0
 7      type: obsolete
 8status: test
 9description: Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.
10references:
11    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
12    - https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html
13    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md
14    - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
15    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets
16author: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113
17date: 2019-10-22
18modified: 2023-12-13
19tags:
20    - attack.credential-access
21    - attack.t1003.002
22    - attack.t1003.004
23    - attack.t1003.005
24    - car.2013-07-001
25logsource:
26    category: process_creation
27    product: windows
28detection:
29    selection_img:
30        - Image|endswith: '\reg.exe'
31        - OriginalFileName: 'reg.exe'
32    selection_cli_flag:
33        CommandLine|contains:
34            - ' save '
35            - ' export '
36            - ' ˢave '
37            - ' eˣport '
38    selection_cli_hklm:
39        CommandLine|contains:
40            - 'hklm'
41            - 'hk˪m'
42            - 'hkey_local_machine'
43            - 'hkey_˪ocal_machine'
44            - 'hkey_loca˪_machine'
45            - 'hkey_˪oca˪_machine'
46    selection_cli_hive:
47        CommandLine|contains:
48            - '\system'
49            - '\sam'
50            - '\security'
51            - '\ˢystem'
52            - '\syˢtem'
53            - '\ˢyˢtem'
54            - '\ˢam'
55            - '\ˢecurity'
56    condition: all of selection_*
57falsepositives:
58    - Dumping hives for legitimate purpouse i.e. backup or forensic investigation
59level: high

References

• Hunting for Credentials Dumping in Windows Environment

  

  Hunting for Credentials Dumping in Windows Environment - Download as a PDF or view online for free

  
  Read More

• SAM Dumping via Reg.exe — EQL Analytics Library documentation

  © Copyright 2019, Endgame Revision 30243396.

  
  Read More

• atomic-red-team/atomics/T1003/T1003.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• Windows Command-Line Obfuscation

  

  Many Windows applications have multiple ways in which the same command line can be expressed, usually for compatibility or ease-of-use reasons. As a result, command-line arguments are implemented inconsistently making detecting specific commands harder due to the number of variations. This post shows how more than 40 often-used, built-in Windows applications are vulnerable to forms of command-line obfuscation, and presents a tool for analysing other executables.

  
  Read More

• atomic-red-team/atomics/T1003.002/T1003.002.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

Related rules

• Cred Dump Tools Dropped Files
• Credential Dumping Tools Service Execution - Security
• Credential Dumping Tools Service Execution - System
• HackTool - Credential Dumping Tools Named Pipe Created
• HackTool - Mimikatz Execution