SAM Dumping via Reg.exe¶
Identifies usage of reg.exe
to export registry hives which contain the SAM and LSA secrets.
id: | aed95fc6-5e3f-49dc-8b35-06508613f979 |
---|---|
categories: | detect |
confidence: | low |
os: | windows |
created: | 11/30/2018 |
updated: | 11/30/2018 |
MITRE ATT&CK™ Mapping¶
tactics: | Credential Access |
---|---|
techniques: | T1003 Credential Dumping |
Query¶
process where subtype.create and
process_name == "reg.exe" and
(command_line == "* save *" or command_line == "* export *") and
(command_line == "*hklm*" or command_line == "*hkey_local_machine*" ) and
(command_line == "*\\sam *" or command_line == "*\\security *" or command_line == "*\\system *")