Detectionhightest

SAM Registry Hive Handle Request

Detects handles requested to SAM registry hive

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Roberto Rodriguez (Cyb3rWard0g)Created Mon Aug 12Updated Sat Nov 27f8748f2c-89dc-4d95-afb0-5a2dfdbad332windows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Detection Logic

detection:
    selection:
        EventID: 4656
        ObjectType: 'Key'
        ObjectName|endswith: '\SAM'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

Techniques

Sub-techniques

Rule Metadata

Rule ID

f8748f2c-89dc-4d95-afb0-5a2dfdbad332

Status

test

Level

high

Type

Detection

Created

Mon Aug 12

Modified

Sat Nov 27

Author

Path

rules/windows/builtin/security/win_security_sam_registry_hive_handle_request.yml

Raw Tags

attack.discoveryattack.t1012attack.credential-accessattack.t1552.002