An adversary running with SYSTEM-level privileges executes commands or accesses registry keys to dump the SAM hive or directly reads sensitive local files from the config directory. This behavior often involves sequential access to HKLM\SAM, HKLM\SYSTEM, and creation of .save or .dmp files, enabling offline hash extraction.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| File Modification (DC0061) | WinEventLog:Sysmon | EventCode=2 |
| Field | Description |
|---|---|
| CommandLinePattern | Detectable variations include `reg save`, `reg.exe save`, or PowerShell equivalents for dumping SAM/SYSTEM hives. |
| TargetFilePath | Defenders can tune based on dump file path patterns (e.g., `%TEMP%\sam.save`, `C:\Users\Public\*.dmp`). |
| RegistryPath | Tune for HKLM\SAM, HKLM\SYSTEM or access via direct \Device\Harddisk paths. |
| TimeWindow | Temporal gap between SAM and SYSTEM hive dumping can be tuned (e.g., 3 minutes). |
| ParentProcessName | Useful for suppressing known-good access (e.g., backup tools). |