Windows syskey registry keys access

This rule is part of a beta feature. To learn more, contact Support.
windows

Classification:

attack

Tactic:

TA0007-discovery

Technique:

T1012-query-registry

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detects access to Windows syskey registry keys, which could indicate attempts to extract system credentials or boot keys for offline credential theft.

Strategy

This rule monitors Windows event logs for registry access events (Event IDs 4656 or 4663) targeting specific registry keys related to the Windows syskey functionality. These registry keys store encryption information that protects credentials stored in the SAM database. Access to these keys is concerning because attackers often target them to extract the syskey/bootkey, which can then be used to decrypt password hashes from the SAM database in offline attacks.

Triage & Response

  • Identify the user account that accessed the syskey registry keys on {{host}}.
  • Determine if the access was part of authorized security testing or system maintenance.
  • Review process information associated with the registry access to identify the responsible application.
  • Check for other suspicious activities around the same timeframe, such as credential dumping tools execution or unusual file access patterns.
  • Examine file creation events for evidence of registry hive exports or credential data exfiltration.