Alert Information
Critical
- Alert ID
ind:47186ef241ea495885522e5d4930eda3:35170597258-10117-11173392- Composite ID
84393bf974fd44bda943a25a6a7bc27f:ind:47186ef241ea495885522e5d4930eda3:35170597258-10117-11173392- 설명
- A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree.
- 호스트
- TEAHEE
- 상태
- new
- 생성 시간
- 2025-12-22 07:47:03
- 업데이트 시간
- 2025-12-22 08:46:03
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- OS Credential Dumping
Command Line
reg save HKLM\SAM C:\Users\dokji\AppData\Local\Temp\sam.hiv
Raw JSON Data
{"id":"ind:47186ef241ea495885522e5d4930eda3:35170597258-10117-11173392","composite_id":"84393bf974fd44bda943a25a6a7bc27f:ind:47186ef241ea495885522e5d4930eda3:35170597258-10117-11173392","agent_id":"47186ef241ea495885522e5d4930eda3","cid":"84393bf974fd44bda943a25a6a7bc27f","description":"A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree.","severity":90,"severity_name":"Critical","confidence":80,"tactic":"Credential Access","tactic_id":"TA0006","technique":"OS Credential Dumping","technique_id":"T1003","cmdline":"reg save HKLM\\SAM C:\\Users\\dokji\\AppData\\Local\\Temp\\sam.hiv","filename":"reg.exe","filepath":"\\Device\\HarddiskVolume3\\Windows\\System32\\reg.exe","sha256":"ef37663b44ac66920c6f33694deea01acb78ae3f3012884819373fa04c3eb5f0","status":"new","type":"ldt","created_timestamp":"2025-12-21T22:47:03.265475422Z","updated_timestamp":"2025-12-21T23:46:03.261609293Z","device":{"device_id":"47186ef241ea495885522e5d4930eda3","cid":"84393bf974fd44bda943a25a6a7bc27f","agent_version":"7.31.20309.0","hostname":"TEAHEE","local_ip":"172.27.1.29","external_ip":"119.206.248.238","mac_address":"e8-84-a5-3f-53-7c","platform_name":"Windows","os_version":"Windows 11"},"aggregate_id":"aggind:47186ef241ea495885522e5d4930eda3:9235776785","CreatedAt":"2025-12-22T07:47:03.2654754+09:00","UpdatedAt":"2025-12-22T08:46:03.2616093+09:00"}
Quick Info
- Severity Critical
- Score 90
-
Agent ID
47186ef241ea495885522e5d4930eda3
Actions