Uncommon sensitive filesystem registry hive access

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2026-01-04

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: XDR Agent with eXtended Threat Hunting (XTH)
Detection Modules
Detector Tags
ATT&CK Tactic	Credential Access (TA0006)
ATT&CK Technique	OS Credential Dumping (T1003) OS Credential Dumping: Security Account Manager (T1003.002)
Severity	Informational

Description

A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping.

Attacker's Goals

Adversary may attempt to extract credentials from the Windows Registry
Credentials can then be used to perform Lateral Movement and access restricted information.

Investigative actions

Investigate the process that tried to access the registry hive file.
Investigate the actions of the user, for which his credentials were stored in the registry hive file.

Variations

Uncommon filesystem registry SAM hive access by a lolbin actor in a shadow copy folder

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Severity

High

Description

A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping.

Attacker's Goals

Adversary may attempt to extract credentials from the Windows Registry
Credentials can then be used to perform Lateral Movement and access restricted information.

Investigative actions

Investigate the process that tried to access the registry hive file.
Investigate the actions of the user, for which his credentials were stored in the registry hive file.

Uncommon sensitive filesystem registry hive access by a lolbin actor in a shadow copy folder

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Severity

Medium

Description

A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping.

Attacker's Goals

Adversary may attempt to extract credentials from the Windows Registry
Credentials can then be used to perform Lateral Movement and access restricted information.

Investigative actions

Investigate the process that tried to access the registry hive file.
Investigate the actions of the user, for which his credentials were stored in the registry hive file.

Uncommon sensitive filesystem registry hive access by a rare unsigned actor in a shadow copy folder

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Severity

Medium

Description

A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping.

Attacker's Goals

Adversary may attempt to extract credentials from the Windows Registry
Credentials can then be used to perform Lateral Movement and access restricted information.

Investigative actions

Investigate the process that tried to access the registry hive file.
Investigate the actions of the user, for which his credentials were stored in the registry hive file.

Uncommon sensitive filesystem registry hive access by a rare unsigned actor

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Severity

Low

Description

A sensitive registry hive was accessed from the filesystem by an uncommon actor, which is used for credentials dumping.

Attacker's Goals

Adversary may attempt to extract credentials from the Windows Registry
Credentials can then be used to perform Lateral Movement and access restricted information.

Investigative actions

Investigate the process that tried to access the registry hive file.
Investigate the actions of the user, for which his credentials were stored in the registry hive file.