SigmaHQ/rules/windows/builtin/win_sam_registry_hive_handle_request.yml

31 lines
794 B
YAML

title: SAM Registry Hive Handle Request
id: f8748f2c-89dc-4d95-afb0-5a2dfdbad332
description: Detects handles requested to SAM registry hive
status: experimental
date: 2019/08/12
modified: 2019/11/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1012_query_registry/sam_registry_hive_access.md
tags:
- attack.discovery
- attack.t1012
logsource:
product: windows
service: security
detection:
selection:
EventID: 4656
ObjectType: 'Key'
ObjectName|endswith: '\SAM'
condition: selection
fields:
- ComputerName
- SubjectDomainName
- SubjectUserName
- ProcessName
- ObjectName
falsepositives:
- Unknown
level: critical