Sensitive Registry Hive Access via RegBack

edit

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Sensitive Registry Hive Access via RegBack

edit

Identifies attempts to access registry backup hives that can contain or enable access to credential material.

Rule type: eql

Rule indices:

logs-endpoint.events.file-*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://attack.mitre.org/techniques/T1003/002/

Tags:

Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: Elastic Defend

Version: 7

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating Sensitive Registry Hive Access via RegBack

Possible investigation steps

Which RegBack hives did the process open, and is the set usable for credential access?
Why: "SAM" or "SECURITY" becomes credential material when paired with "SYSTEM"; file.size helps assess populated hives but does not replace hive-set review.
Focus: alert file.path and file.size, then same-process opens for other RegBack hives. !{investigate{"description":"","label":"File activity for the same process","providers":[[{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"process.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"},{"excluded":false,"field":"event.category","queryType":"phrase","value":"file","valueType":"string"}]],"relativeFrom":"now-1h","relativeTo":"now"}}
Implication: escalate when one process accesses "SAM" plus "SYSTEM" or all three hives, especially with populated sizes; do not close on empty/missing size alone, and keep isolated single-hive access unresolved until identity and staging are checked.
Does the accessing process fit a recognized recovery, backup, or forensic chain?
Focus: process.executable, process.code_signature.subject_name, process.code_signature.trusted, and process.parent.executable.
Hint: use process.entity_id to tie process.command_line and process.parent.command_line to the opener; if renamed, check process.pe.original_file_name. Trusted signer or Microsoft path does not clear credential-hive access.
Implication: escalate when the binary is unsigned, user-writable, renamed, or launched by shell, script, Office, or remote-admin lineage outside recovery/evidence collection; lower suspicion when signer, path, parent, and command lines converge on one recognized workflow.
Did the same process stage, rename, archive, or hide hive files?
Focus: same-process file events by host.id and process.entity_id, especially file.path and file.size.
Hint: look for temp, user-profile, admin-share, removable, archive, or deceptive names omitting "SAM", "SECURITY", or "SYSTEM".
Implication: escalate when hives are copied, renamed, compressed, or staged outside a recognized evidence or backup repository; lower suspicion when copies stay inside the bounded recovery/forensic case path.
Does the user and session identity fit protected RegBack access?
Focus: user.id, process.Ext.authentication_id, process.command_line, and process.parent.executable.
Hint: when present, use process.Ext.session_info.logon_type only as support; otherwise anchor on process.Ext.authentication_id, parent, and command line.
Implication: escalate on rare user, unexplained session identifier, or remote-admin lineage without matching process and file-path evidence for recovery or forensics; lower suspicion when account, session, parent, and command line match the bounded workflow.
Do command lines or child processes show hive parsing, cleanup, or transfer?
Why: RegBack reads may pair with "reg save", shadow-copy, or raw-copy variants for offline secret extraction.
Focus: process.command_line, child process events where process.parent.entity_id matches process.entity_id, and copied-hive file.path values. !{investigate{"description":"","label":"Child process events for the accessing process","providers":[[{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"process.parent.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"},{"excluded":false,"field":"event.category","queryType":"phrase","value":"process","valueType":"string"}]],"relativeFrom":"now-1h","relativeTo":"now"}}
Hint: check for "reg.exe save", shadow-copy utilities, raw-copy tools, archive tools, credential dumpers, cleanup commands, removable paths, or UNC paths.
Implication: escalate when the lineage parses hives, creates archives, deletes staged hives, writes UNC/removable paths, or uses reg-save/shadow-copy/raw-copy variants; absence of these follow-on artifacts does not clear populated multi-hive access.
If local evidence is suspicious or incomplete, do related alerts expand scope?
Focus: related alerts for user.id covering credential access, privilege escalation, staging, transfer, persistence, or lateral movement. !{investigate{"description":"","label":"Alerts associated with the user","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"user.id","queryType":"phrase","value":"{{user.id}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}}
Hint: use host.id when user scope is quiet or the actor is "S-1-5-18" or another service context. !{investigate{"description":"","label":"Alerts associated with the host","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}}
Implication: broaden containment and credential-impact review when related alerts show adjacent post-compromise behavior; keep the case local when related alerts are quiet and all local evidence fits one recognized workflow.
Escalate on populated multi-hive access with suspicious identity, staging, transfer, privilege, or related-alert context; close only when telemetry aligns with one recognized backup, recovery, or forensic workflow and no contradictory evidence remains; preserve hives, process records, and copied artifacts when evidence is mixed, incomplete, or needs outside confirmation.

False positive analysis

Endpoint security products (AV/EDR) routinely open RegBack hives during full-disk scans. Confirm when process.executable is a trusted-signed binary from a Program Files AV/EDR install path, user.id is S-1-5-18, and the same process.entity_id shows no staging, copy, archive, or multi-hive credential-set access.
Recognized backup, recovery, or forensic workflows can legitimately access RegBack hives only when process.executable, process.code_signature.subject_name, process.parent.executable, process.command_line, copied file.path, user.id, process.Ext.authentication_id, and host.id identify the same bounded maintenance or evidence-collection scope. Leave unresolved if staging, child-process, or related-alert evidence contradicts the workflow or legitimacy rests only on owner/context.
Before creating an exception, require recurring process.executable, process.command_line, file.path, user.id, and host.id across prior alerts; avoid exceptions on the RegBack path, hive name, or host alone.

Response and remediation

If confirmed benign, release any temporary containment and document the confirmed workflow anchors: tool identity, parent and command line, bounded RegBack file.path set, copied path pattern, user.id, and host.id. Create an exception only if those anchors recur consistently across prior alerts from this rule.
If suspicious but unconfirmed, export the alert, process timeline, same-process file activity, and any copied, archived, UNC, or removable-media hive paths before containment. Preserve hive copies when present. Apply reversible containment first, such as restricting the process, copied path, share access, or involved user.id; escalate to host isolation only when populated multi-hive access is paired with staging, transfer paths, or related post-compromise alerts and the asset can tolerate it.
If confirmed malicious, record and preserve the responsible process instance, process timeline, and hive artifact paths before containment. Then use Elastic Defend response actions to isolate the host and kill or suspend the process. If direct endpoint response is unavailable, escalate with those artifacts to the team that can isolate the host or disable the involved account. Block confirmed malicious tools, paths, shares, and copied artifacts tied to the RegBack access before cleanup.
If the same process accessed populated "SAM", "SECURITY", and "SYSTEM" files, treat the case as higher-confidence credential exposure and begin local-account and cached-credential hygiene appropriate to the host role. On shared admin systems or servers with privileged local accounts, escalate identity-impact handling according to the credential-compromise runbook.
Before eradication, scope the same process identity, RegBack path set, copy destinations, user.id, and host.id across related alerts so evidence is preserved before cleanup. Then remove unauthorized tools, copied hives, archives, remote-share artifacts, and persistence mechanisms uncovered during the investigation, and remediate the access vector or privilege path that allowed RegBack access.
Post-incident hardening: restrict RegBack access to recognized backup, recovery, and forensic tooling; retain endpoint process and file telemetry needed for this workflow; and document any "reg save", shadow-copy, or raw-copy variants surfaced during triage for future case comparison.

Setup

edit

Setup

This rule is designed for data generated by Elastic Defend, which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.

Setup instructions: https://ela.st/install-elastic-defend

Rule query

edit

file where host.os.type == "windows" and
 event.action == "open" and event.outcome == "success" and process.executable != null and
 file.path :
      ("?:\\Windows\\System32\\config\\RegBack\\SAM",
       "?:\\Windows\\System32\\config\\RegBack\\SECURITY",
       "?:\\Windows\\System32\\config\\RegBack\\SYSTEM") and
 not (
    user.id == "S-1-5-18" and process.executable : (
        "?:\\Windows\\system32\\taskhostw.exe",
        "?:\\Windows\\system32\\taskhost.exe",
        "?:\\Program Files\\Sophos\\Endpoint Defense\\SophosScanCoordinator.exe",
        "?:\\Program Files\\Sophos\\Endpoint Defense\\SSPService.exe",
        "?:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe",
        "?:\\Program Files\\Trend Micro\\AMSP\\coreServiceShell.exe",
        "?:\\Program Files\\Symantec\\Symantec Endpoint Protection\\*\\Bin64\\ccSvcHst.exe",
        "?:\\Program Files\\Bitdefender\\Endpoint Security\\EPSecurityService.exe",
        "?:\\Program Files\\N-able Technologies\\AVDefender\\EPSecurityService.exe",
        "?:\\Program Files\\Cylance\\Optics\\CyOptics.exe",
        "?:\\Program Files\\Common Files\\McAfee\\AVSolution\\mcshield.exe",
        "?:\\Program Files (x86)\\Padvish AV\\APCcSvc.exe"
    )
 )

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
Technique:
- Name: OS Credential Dumping
- ID: T1003
- Reference URL: https://attack.mitre.org/techniques/T1003/
Sub-technique:
- Name: Security Account Manager
- ID: T1003.002
- Reference URL: https://attack.mitre.org/techniques/T1003/002/
Sub-technique:
- Name: LSA Secrets
- ID: T1003.004
- Reference URL: https://attack.mitre.org/techniques/T1003/004/
Sub-technique:
- Name: Cached Domain Credentials
- ID: T1003.005
- Reference URL: https://attack.mitre.org/techniques/T1003/005/

« Rare Connection to WebDAV Target Potential Local NTLM Relay via HTTP »