Skip to content

DET0085 Credential Dumping from SAM via Registry Dump and Local File Access

Item Value
ID DET0085
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1003.002 (Security Account Manager)

Analytics

Windows

AN0235

An adversary running with SYSTEM-level privileges executes commands or accesses registry keys to dump the SAM hive or directly reads sensitive local files from the config directory. This behavior often involves sequential access to HKLM\SAM, HKLM\SYSTEM, and creation of .save or .dmp files, enabling offline hash extraction.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Windows Registry Key Modification (DC0063) WinEventLog:Sysmon EventCode=13, 14
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
File Modification (DC0061) WinEventLog:Sysmon EventCode=2
Mutable Elements
Field Description
CommandLinePattern Detectable variations include reg save, reg.exe save, or PowerShell equivalents for dumping SAM/SYSTEM hives.
TargetFilePath Defenders can tune based on dump file path patterns (e.g., %TEMP%\sam.save, C:\Users\Public\*.dmp).
RegistryPath Tune for HKLM\SAM, HKLM\SYSTEM or access via direct \Device\Harddisk paths.
TimeWindow Temporal gap between SAM and SYSTEM hive dumping can be tuned (e.g., 3 minutes).
ParentProcessName Useful for suppressing known-good access (e.g., backup tools).