Uncommon sensitive registry hive dump

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2025-12-08
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Detector Tags

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

OS Credential Dumping (T1003)

Severity

Low

Description

A sensitive registry hive was extracted, which is used for accessing credentials.

Attacker's Goals

  • Adversary may attempt to extract credentials from the Windows Registry
  • Credentials can then be used to perform Lateral Movement and access restricted information.

Investigative actions

  • Investigate the process that tried to access the registry hive.
  • Investigate the actions of the user for which his credentials were stored in the registry hive.

Variations

Uncommon sensitive registry hive dump by unsigned and rare process

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

OS Credential Dumping (T1003)

Severity

High

Description

A sensitive registry hive was extracted, which is used for accessing credentials.

Attacker's Goals

  • Adversary may attempt to extract credentials from the Windows Registry
  • Credentials can then be used to perform Lateral Movement and access restricted information.

Investigative actions

  • Investigate the process that tried to access the registry hive.
  • Investigate the actions of the user for which his credentials were stored in the registry hive.


Uncommon sensitive registry hive dump by injected process

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

OS Credential Dumping (T1003)

Severity

High

Description

A sensitive registry hive was extracted, which is used for accessing credentials.

Attacker's Goals

  • Adversary may attempt to extract credentials from the Windows Registry
  • Credentials can then be used to perform Lateral Movement and access restricted information.

Investigative actions

  • Investigate the process that tried to access the registry hive.
  • Investigate the actions of the user for which his credentials were stored in the registry hive.


Uncommon sensitive registry hive dump by reg.exe lolbin process which was executed by rare causality process

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

OS Credential Dumping (T1003)

Severity

High

Description

A sensitive registry hive was extracted, which is used for accessing credentials.

Attacker's Goals

  • Adversary may attempt to extract credentials from the Windows Registry
  • Credentials can then be used to perform Lateral Movement and access restricted information.

Investigative actions

  • Investigate the process that tried to access the registry hive.
  • Investigate the actions of the user for which his credentials were stored in the registry hive.


Uncommon sensitive registry hive dump by reg.exe lolbin process

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

OS Credential Dumping (T1003)

Severity

Medium

Description

A sensitive registry hive was extracted, which is used for accessing credentials.

Attacker's Goals

  • Adversary may attempt to extract credentials from the Windows Registry
  • Credentials can then be used to perform Lateral Movement and access restricted information.

Investigative actions

  • Investigate the process that tried to access the registry hive.
  • Investigate the actions of the user for which his credentials were stored in the registry hive.