Critical
Process Information
- File Name
reg.exe- File Path
\Device\HarddiskVolume3\Windows\System32\reg.exe- Command Line
-
reg save HKLM\SAM C:\Users\dokji\AppData\Local\Temp\sam.hiv - Process ID
35448945372- Parent PID
35446416325- SHA256
-
ef37663b44ac66920c6f33694deea01acb78ae3f3012884819373fa04c3eb5f0VT - MD5
f6e3559ddddccc843a12cfd50178c554- Disposition
-
2048
Prevention, process was blocked from execution.
Raw JSON Data
{
"metadata": {
"customerIDString": "84393bf974fd44bda943a25a6a7bc27f",
"offset": 158084,
"eventType": "EppDetectionSummaryEvent",
"eventCreationTime": 1766358734000,
"version": "1.0"
},
"event": {
"ProcessStartTime": 1766358671,
"ProcessEndTime": 1766358671,
"ProcessId": 35448945372,
"ParentProcessId": 35446416325,
"Hostname": "TEAHEE",
"UserName": "dokji",
"Name": "Credential Theft",
"Description": "A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree.",
"Severity": 90,
"SeverityName": "Critical",
"FileName": "reg.exe",
"FilePath": "\\Device\\HarddiskVolume3\\Windows\\System32\\reg.exe",
"CommandLine": "reg save HKLM\\SAM C:\\Users\\dokji\\AppData\\Local\\Temp\\sam.hiv",
"SHA256String": "ef37663b44ac66920c6f33694deea01acb78ae3f3012884819373fa04c3eb5f0",
"MD5String": "f6e3559ddddccc843a12cfd50178c554",
"SHA1String": "0000000000000000000000000000000000000000",
"LogonDomain": "TEAHEE",
"FalconHostLink": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/84393bf974fd44bda943a25a6a7bc27f:ind:47186ef241ea495885522e5d4930eda3:35448945372-10117-11286544?_cid=g04000x7oomvbbtvcerklzeap3llo7ue",
"AgentId": "47186ef241ea495885522e5d4930eda3",
"IOCType": "hash_sha256",
"IOCValue": "ef37663b44ac66920c6f33694deea01acb78ae3f3012884819373fa04c3eb5f0",
"CompositeId": "84393bf974fd44bda943a25a6a7bc27f:ind:47186ef241ea495885522e5d4930eda3:35448945372-10117-11286544",
"LocalIP": "172.27.1.26",
"MACAddress": "e8-84-a5-3f-53-7c",
"Tactic": "Credential Access",
"Technique": "OS Credential Dumping",
"Objective": "Gain Access",
"PatternDispositionDescription": "Prevention, process was blocked from execution.",
"PatternDispositionValue": 2048,
"PatternDispositionFlags": {
"Indicator": false,
"Detect": false,
"InddetMask": false,
"SensorOnly": false,
"Rooting": false,
"KillProcess": false,
"KillSubProcess": false,
"QuarantineMachine": false,
"QuarantineFile": false,
"PolicyDisabled": false,
"KillParent": false,
"OperationBlocked": false,
"ProcessBlocked": true,
"RegistryOperationBlocked": false,
"CriticalProcessDisabled": false,
"BootupSafeguardEnabled": false,
"FsOperationBlocked": false,
"HandleOperationDowngraded": false,
"KillActionFailed": false,
"BlockingUnsupportedOrDisabled": false,
"SuspendProcess": false,
"SuspendParent": false,
"ContainmentFileSystem": false
},
"ParentImageFileName": "cmd.exe",
"ParentCommandLine": "\u0022cmd.exe\u0022 /c reg save HKLM\\SAM C:\\Users\\dokji\\AppData\\Local\\Temp\\sam.hiv",
"GrandParentImageFileName": "MegaGenerator.exe",
"GrandParentCommandLine": "\u0022C:\\app\\cortex-xdr-siem-test\\xdr_tools\\MegaGenerator\\bin\\publish\\MegaGenerator.exe\u0022 --once --scenarios 15 ",
"HostGroups": "4f5aa5f1cdc6441982cf5c58e4b5d75a",
"AssociatedFile": "\\Device\\HarddiskVolume3\\Windows\\System32\\reg.exe",
"PatternId": 10117,
"SourceVendors": "CrowdStrike",
"SourceProducts": "Falcon Insight",
"DataDomains": "Endpoint",
"AggregateId": "aggind:47186ef241ea495885522e5d4930eda3:9258465608",
"Type": "ldt",
"ParentImageFilePath": "\\Device\\HarddiskVolume3\\Windows\\System32\\cmd.exe",
"GrandParentImageFilePath": "\\Device\\HarddiskVolume3\\app\\cortex-xdr-siem-test\\xdr_tools\\MegaGenerator\\bin\\publish\\MegaGenerator.exe",
"LocalIPv6": "",
"PlatformId": "0",
"PlatformName": "Windows",
"MitreAttack": [
{
"Tactic": "Credential Access",
"TacticID": "TA0006",
"Technique": "OS Credential Dumping",
"TechniqueID": "T1003",
"PatternID": 10117
}
],
"CloudIndicator": false,
"RiskScore": 57
}
}