Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1552-unsecured-credentials

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects access requests to the Windows Security Account Manager (SAM) registry hive.

Strategy

This rule monitors for Windows event ID 4656, which records handle requests to securable objects. The query looks for handle requests specifically targeting registry keys with a path ending in SAM as indicated in the @Event.EventData.Data.ObjectName field.

The Windows SAM registry hive contains password hashes for local user accounts. Direct access to this registry hive is typically restricted while Windows is running to prevent credential theft. However, there are several techniques that attackers use to bypass these protections and access the SAM hive directly.

Legitimate access to the SAM hive through the registry is extremely rare during normal system operations. Windows APIs and system components typically use alternative methods to authenticate users and verify credentials. Direct SAM hive access is often associated with credential harvesting tools that extract password hashes for offline cracking or pass-the-hash attacks.

Triage & Response

• Identify the process and user account that requested access to the SAM registry hive on {{host}}.
• Determine if the access attempt was successful by looking for subsequent event IDs related to registry access.
• Examine the process lineage to understand how the access was initiated.
• Review other suspicious activities from the same user account or process in the surrounding timeframe.
• Check for evidence of credential dumping tools or techniques being deployed on {{host}}.
• Isolate the affected system if unauthorized access to the SAM hive is confirmed.
• Reset local account credentials that may have been compromised.
• Verify no lateral movement attempts have been made using potentially harvested credentials.