SAM Registry Hive Handle Request

Hunt Hypothesis

Adversaries may request handles to the SAM registry hive to persist credentials or escalate privileges by accessing sensitive account information. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential theft or privilege escalation attempts early.

Detection Rule

Sigma (Original)

title: SAM Registry Hive Handle Request
id: f8748f2c-89dc-4d95-afb0-5a2dfdbad332
status: test
description: Detects handles requested to SAM registry hive
references:
    - https://threathunterplaybook.com/hunts/windows/190725-SAMRegistryHiveHandleRequest/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-12
modified: 2021-11-27
tags:
    - attack.discovery
    - attack.t1012
    - attack.credential-access
    - attack.t1552.002
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4656
        ObjectType: 'Key'
        ObjectName|endswith: '\SAM'
    condition: selection
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imRegistry
| where RegistryKey endswith "\\SAM"

False Positive Guidance

• Scenario: A system administrator is using reg.exe to query the SAM hive for user account information during routine user management tasks.
  Filter/Exclusion: Exclude processes associated with reg.exe when the parent process is explorer.exe or cmd.exe and the command line contains query or enum.

• Scenario: A Windows Server Backup job is accessing the SAM hive to back up user accounts.
  Filter/Exclusion: Exclude processes with the parent process svchost.exe and the process name is wbadmin.exe or backup.exe.

• Scenario: A Group Policy Management Console (GPMC) is synchronizing user accounts across domains, which may involve accessing the SAM hive.
  Filter/Exclusion: Exclude processes with the parent process services.exe and the process name is gpmc.msc or gpolusr.exe.

• Scenario: A third-party security tool (e.g., Microsoft Baseline Security Analyzer (MSBAS)) is performing a system audit and accessing the SAM hive as part of its checks.
  Filter/Exclusion: Exclude processes with the parent process services.exe and the process name contains msbas or mbsa.

• Scenario: A scheduled task is configured to run a script that interacts with the SAM hive for user account validation.
  Filter/Exclusion: Exclude processes with the parent process schtasks.exe and the command line includes net user or net localgroup.

MITRE ATT&CK Context

• Tactic: Discovery
• Tactic: Credential Access
• Technique: T1012
• Technique: T1552.002