sigmahighHunting

SysKey Registry Keys Access

Detects handle requests and access operations to specific registry keys to calculate the SysKey

MITRE ATT&CK

discovery

Detection Query

selection:
  EventID:
    - 4656
    - 4663
  ObjectType: key
  ObjectName|endswith:
    - lsa\JD
    - lsa\GBG
    - lsa\Skew1
    - lsa\Data
condition: selection

Author

Roberto Rodriguez @Cyb3rWard0g

Created

2019-08-12

Data Sources

windowssecurity

Platforms

windows

References

https://threathunterplaybook.com/hunts/windows/190625-RegKeyAccessSyskey/notebook.html

Tags

attack.discoveryattack.t1012

Raw Content

title: SysKey Registry Keys Access
id: 9a4ff3b8-6187-4fd2-8e8b-e0eae1129495
status: test
description: Detects handle requests and access operations to specific registry keys to calculate the SysKey
references:
    - https://threathunterplaybook.com/hunts/windows/190625-RegKeyAccessSyskey/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-12
modified: 2021-11-27
tags:
    - attack.discovery
    - attack.t1012
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 4656
            - 4663
        ObjectType: 'key'
        ObjectName|endswith:
            - 'lsa\JD'
            - 'lsa\GBG'
            - 'lsa\Skew1'
            - 'lsa\Data'
    condition: selection
falsepositives:
    - Unknown
level: high