title: SAM Registry Hive Handle Request
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/08/12
description: Detects handles requested to SAM registry hive
detection:
    SELECTION_1:
        EventID: 4656
    SELECTION_2:
        ObjectType: Key
    SELECTION_3:
        ObjectName: '*\SAM'
    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
fields:
- ComputerName
- SubjectDomainName
- SubjectUserName
- ProcessName
- ObjectName
id: f8748f2c-89dc-4d95-afb0-5a2dfdbad332
level: critical
logsource:
    product: windows
    service: security
modified: 2020/08/23
references:
- https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190725024610.html
status: experimental
tags:
- attack.discovery
- attack.t1012
- attack.credential_access
- attack.t1552.002
yml_filename: win_sam_registry_hive_handle_request.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin