Classification:

attack

Tactic:

TA0007-discovery

Technique:

T1012-query-registry

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects access to Windows syskey registry keys, which could indicate attempts to extract system credentials or boot keys for offline credential theft.

Strategy

This rule monitors Windows event logs for registry access events (Event IDs 4656 or 4663) targeting specific registry keys related to the Windows syskey functionality. These registry keys store encryption information that protects credentials stored in the SAM database. Access to these keys is concerning because attackers often target them to extract the syskey/bootkey, which can then be used to decrypt password hashes from the SAM database in offline attacks.

Triage & Response

• Identify the user account that accessed the syskey registry keys on {{host}}.
• Determine if the access was part of authorized security testing or system maintenance.
• Review process information associated with the registry access to identify the responsible application.
• Check for other suspicious activities around the same timeframe, such as credential dumping tools execution or unusual file access patterns.
• Examine file creation events for evidence of registry hive exports or credential data exfiltration.