detection.wiki

Detection rules › Sigma

SysKey Registry Keys Access

Severity
high
Author
Roberto Rodriguez @Cyb3rWard0g
Source
upstream

Detects handle requests and access operations to specific registry keys to calculate the SysKey

MITRE ATT&CK coverage

TacticTechniques
DiscoveryT1012 Query Registry

Event coverage

ProviderEvent IDTitle
Security-Auditing4656A handle to an object was requested.
Security-Auditing4663An attempt was made to access an object.

Stages and Predicates

Stage 1: selection

or:
ObjectName|endswith: 'lsa\Data'
ObjectName|endswith: 'lsa\GBG'
ObjectName|endswith: 'lsa\JD'
ObjectName|endswith: 'lsa\Skew1'
ObjectType: key

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
ObjectNameends_with
  • lsa\Data
  • lsa\GBG
  • lsa\JD
  • lsa\Skew1
ObjectTypeeq
  • key

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.