[metadata] creation_date = "2022/03/01" maturity = "production" min_stack_comments = "The field `file.Ext.header_bytes` was not introduced until 7.15" min_stack_version = "7.15.0" updated_date = "2022/03/01" [rule] author = ["Elastic"] description = """ Identifies remote access to the registry to potentially dump credential data from the SAM registry hive in preparation for credential access and privileges elevation. """ from = "now-9m" index = ["winlogbeat-*", "logs-system.*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Remote Credential Access via Registry" note = """## Config This rule uses Elastic Endpoint file creation and System Integration events for correlation. Both data should be collected from the host for this detection to work. """ references = ["https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py"] risk_score = 73 rule_id = "850d901a-2a3c-46c6-8b22-55398a01aad8" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access"] timestamp_override = "event.ingested" type = "eql" query = ''' sequence by host.id, user.id with maxspan=1m [authentication where event.outcome == "success" and winlog.logon.type == "Network" and not user.name == "ANONYMOUS LOGON" and not user.domain == "NT AUTHORITY" and source.ip != "127.0.0.1" and source.ip !="::1"] [file where event.action == "creation" and process.name : "svchost.exe" and file.Ext.header_bytes : "72656766*" and user.id : "S-1-5-21-*" and file.size >= 30000] ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] name = "OS Credential Dumping" id = "T1003" reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique.subtechnique]] name = "Security Account Manager" id = "T1003.002" reference = "https://attack.mitre.org/techniques/T1003/002/" [rule.threat.tactic] name = "Credential Access" id = "TA0006" reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] name = "Remote Services" id = "T1021" reference = "https://attack.mitre.org/techniques/T1021/" [rule.threat.tactic] name = "Lateral Movement" id = "TA0008" reference = "https://attack.mitre.org/tactics/TA0008/"