Adversaries may access specific registry keys to exfiltrate or manipulate the SysKey, which is critical for decrypting credentials. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential theft or persistence mechanisms early.
Detection Rule
title: SysKey Registry Keys Access
id: 9a4ff3b8-6187-4fd2-8e8b-e0eae1129495
status: test
description: Detects handle requests and access operations to specific registry keys to calculate the SysKey
references:
- https://threathunterplaybook.com/hunts/windows/190625-RegKeyAccessSyskey/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-12
modified: 2021-11-27
tags:
- attack.discovery
- attack.t1012
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4656
- 4663
ObjectType: 'key'
ObjectName|endswith:
- 'lsa\JD'
- 'lsa\GBG'
- 'lsa\Skew1'
- 'lsa\Data'
condition: selection
falsepositives:
- Unknown
level: high
imRegistry
| where RegistryKey endswith "lsa\\JD" or RegistryKey endswith "lsa\\GBG" or RegistryKey endswith "lsa\\Skew1" or RegistryKey endswith "lsa\\Data"Scenario: Windows Update Service Accessing SysKey Registry Keys
Description: The Windows Update service may access registry keys related to SysKey during system updates or security policy enforcement.
Filter/Exclusion: Exclude processes associated with svchost.exe (specifically the svchost instance hosting wuauserv) or use a process name filter like wuauserv.
Scenario: Group Policy Processing (GPUpdate) Accessing SysKey
Description: Group Policy updates may trigger access to SysKey registry keys as part of enforcing security policies or user configurations.
Filter/Exclusion: Exclude processes with the command line containing gpupdate or use a process name filter like gpupdate.exe.
Scenario: Scheduled Task Running System Maintenance Tool
Description: A legitimate scheduled task (e.g., schtasks.exe) may access SysKey keys when running tools like DISM or System File Checker (SFC) for system integrity checks.
Filter/Exclusion: Exclude processes associated with schtasks.exe or use a command-line filter for DISM or sfc.exe.
Scenario: Microsoft Endpoint Configuration Manager (MECM) Task Execution
Description: MECM (formerly SCCM) may access SysKey registry keys during software deployment or configuration management tasks.
Filter/Exclusion: Exclude processes with the parent process ccmexec.exe or use a command-line filter for MECM-related tasks.
Scenario: Administrative Tools like Local Security Policy (secpol.msc)
Description: When administrators use tools like secpol.msc to configure local security policies, they may access SysKey registry keys as part of policy application.
Filter/Exclusion: Exclude processes with the command line