Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1003-os-credential-dumping

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects when critical registry hives containing credentials are copied to temporary locations and have their access bits cleared.

Strategy

This rule monitors Windows Kernel-General events where @evt.id is 16 when the @Event.EventData.Data.HiveName contains references to SAM or SECURITY registry hives in temporary file paths. When attackers dump credentials from Windows systems, they often copy critical registry hives like SAM and SECURITY to temporary locations to avoid file locks, then clear the access bits before extraction. This technique is commonly used by credential dumping tools to access password hashes and security secrets stored in these protected registry hives.

Triage and response

• Examine the temporary file path containing the copied registry hive on {{host}} to determine if the files still exist and analyze their contents.
• Check for credential dumping tool execution or suspicious process activity around the same timeframe as the hive access.
• Review system and security logs for signs of unauthorized access or privilege escalation that may have enabled the registry hive copying.
• Analyze network activity for potential exfiltration of credential data following the hive access.
• Force password resets for local and domain accounts that may have been compromised through credential extraction.