This note documents detection patterns related to Registry Dumping within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4688 | Process creation | Critical | Detects reg.exe, reg save, PowerShell export commands, or custom dumping tools. |
| Sysmon | 1 | Process creation | Critical | Best execution source for registry dump tooling and command line visibility. |
| Sysmon | 11 | File create | Critical | Captures hive dump files such as SAM, SYSTEM, SECURITY, NTUSER.DAT copies. |
| Sysmon | 12 | Registry object create/delete | High | Registry object interaction near dump operations. |
| Sysmon | 13 | Registry value set | Medium | Supports adjacent tampering before or after dump. |
| Security | 4656 | Handle requested to object | High | Sensitive hive access if auditing enabled. |
| Security | 4663 | Object access | High | Detects hive read operations under audit coverage. |
| Sysmon | 10 | Process access | Medium | Useful if dump precedes LSASS access in credential chain. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
reg save on SAM/SYSTEM/SECURITY | Credential extraction preparation | Critical | Classic local credential theft chain. |
| Hive dumped to Temp/AppData | Suspicious dump location | Critical | Common attacker staging path. |
| Backup file shortly followed by archive | Dump prepared for exfiltration | Critical | Strong collection indicator. |
| Shadow copy + hive dump | Locked hive bypass | High | Advanced attacker pattern. |
| SYSTEM + SAM paired access | Offline hash extraction | Critical | Very strong credential theft signal. |
| Remote registry interaction | Registry dump over remote admin | High | Lateral collection clue. |
Common Tools
| Tool | Usage |
|---|---|
| reg.exe | reg save hive dumping |
| regedit.exe | Export registry data |
| PowerShell | Registry export or hive copy |
| esentutl.exe | Locked file copy |
| vssadmin.exe | Shadow copy for hive access |
| diskshadow.exe | Volume shadow dump path |
| secretsdump.py | Offline hive extraction |
Relevant Artifacts
- Sysmon Event IDs 1, 11, 12, 13
- Security Event IDs 4688, 4656, 4663
- Prefetch:
REG.EXE,REGEDIT.EXE,VSSADMIN.EXE,DISKSHADOW.EXE - Amcache for dump tooling
- ShimCache traces
- MFT / USN Journal for hive dump files
- Dumped files: SAM / SYSTEM / SECURITY
- EDR lineage around dump + archive
MITRE ATT&CK References
- T1003.002 Security Account Manager
- T1003.004 LSA Secrets
- T1003 OS Credential Dumping
- T1112 Modify Registry
Decision Tree
-
Which hive was dumped?
- SAM
- SYSTEM
- SECURITY
- User hive
-
Which process performed dump?
- reg.exe
- PowerShell
- Shadow copy tooling
-
Dump location suspicious?
- Temp
- Public
- Network share
-
Follow-up activity?
- Archive
- Exfiltration
- Hash cracking prep
-
Expand:
- LSASS access
- Privilege escalation
- Lateral movement
-
Scope:
- Single host
- Multiple hives
- Enterprise collection
Example Detection Templates
KQL
Sysmon
| where EventID == 1
| where CommandLine has_any ("reg save","reg export","SAM","SYSTEM","SECURITY")
| project TimeGenerated, Computer, User, CommandLine
Sysmon
| where EventID == 11
| where TargetFilename has_any ("SAM","SYSTEM","SECURITY")
| project TimeGenerated, Computer, TargetFilename
EQL
process where process.command_line like "*reg save*" or process.command_line like "*SAM*"
sequence by host.name with maxspan=5m
[ process where process.name == "reg.exe" ]
[ file where file.path like "*SAM*" ]
Sigma
title: Registry Dumping Detection
id: 7f4e2b81-registry-dump
status: experimental
description: Detects registry hive dumping linked to credential theft
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: sysmon
detection:
selection:
CommandLine|contains:
- 'reg save'
- 'SAM'
- 'SYSTEM'
- 'SECURITY'
condition: selection
fields:
- CommandLine
- ParentImage
falsepositives:
- Legitimate backup operations
level: high
tags:
- attack.credential_access
- attack.t1003
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Restrict hive access | Limit backup rights | Critical | Reduce dump ability |
| Sysmon file monitoring | Track hive copies | Critical | Detect dump output |
| Shadow copy monitoring | Alert on VSS abuse | High | Common locked hive bypass |
| EDR command-line coverage | Preserve reg.exe visibility | Critical | Core triage source |
| Credential hygiene | LAPS / strong local admin controls | High | Reduce post-dump value |