Detection rules › Sigma
Critical Hive In Suspicious Location Access Bits Cleared
Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset. This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default). Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1003.002 OS Credential Dumping: Security Account Manager |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Kernel-General | 16 | The access history in hive HiveName was cleared updating KeysUpdated keys and creating DirtyPages modified pages. |
Stages and Predicates
Stage 1: selection
or:
HiveName|contains: '\Temp\SAM'
HiveName|contains: '\Temp\SECURITY'
Provider_Name: Microsoft-Windows-Kernel-General
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
HiveName | match |
|
Provider_Name | eq |
|