SAM Dumping via Reg.exe¶
Identifies usage of reg.exe to export registry hives which contain the SAM and LSA secrets.
| id: | aed95fc6-5e3f-49dc-8b35-06508613f979 |
|---|---|
| categories: | detect |
| confidence: | low |
| os: | windows |
| created: | 11/30/2018 |
| updated: | 11/30/2018 |
MITRE ATT&CK™ Mapping¶
| tactics: | Credential Access |
|---|---|
| techniques: | T1003 Credential Dumping |
Query¶
process where subtype.create and
process_name == "reg.exe" and
(command_line == "* save *" or command_line == "* export *") and
(command_line == "*hklm*" or command_line == "*hkey_local_machine*" ) and
(command_line == "*\\sam *" or command_line == "*\\security *" or command_line == "*\\system *")