Credential access via registry hive dumping
Set up the sentinelone integration.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect when a registry hive is dumped.
Strategy
Command line utilities like reg.exe
can be used to dump Security and/or SAM hives. Attackers have dumped these hives in an attempt to extract credentials.
Triage and response
- Identify which hive is being dumped, and if it is authorized or expected.
- If it’s not authorized, isolate the host from the network.
- Follow your organization’s internal processes for investigating and remediating compromised systems.