Home/CVE-2020-1926/Sigma rules
Sigma

Sigma rules for CVE-2020-1926

2 rules · scoped to cve · back to CVE-2020-1926
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

Detection rules

2 of 2
direct high
SAM Registry Hive Handle Request
Detects handles requested to SAM registry hive
status test author Roberto Rodriguez @Cyb3rWard0g id f8748f2c-89dc-4d95-afb0-5a2dfdbad332 license Sigma · DRL-1.1
view Sigma YAML 
title: SAM Registry Hive Handle Request
id: f8748f2c-89dc-4d95-afb0-5a2dfdbad332
status: test
description: Detects handles requested to SAM registry hive
references:
    - https://threathunterplaybook.com/hunts/windows/190725-SAMRegistryHiveHandleRequest/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-12
modified: 2021-11-27
tags:
    - attack.discovery
    - attack.t1012
    - attack.credential-access
    - attack.t1552.002
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4656
        ObjectType: 'Key'
        ObjectName|endswith: '\SAM'
    condition: selection
falsepositives:
    - Unknown
level: high
direct high
Critical Hive In Suspicious Location Access Bits Cleared
Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset. This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default). Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.
status test author Florian Roth (Nextron Systems) id 39f919f3-980b-4e6f-a975-8af7e507ef2b license Sigma · DRL-1.1
view Sigma YAML 
title: Critical Hive In Suspicious Location Access Bits Cleared
id: 39f919f3-980b-4e6f-a975-8af7e507ef2b
related:
    - id: 839dd1e8-eda8-4834-8145-01beeee33acd
      type: obsolete
status: test
description: |
    Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset.
    This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default).
    Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.
references:
    - https://github.com/nasbench/Misc-Research/blob/b20da2336de0f342d31ef4794959d28c8d3ba5ba/ETW/Microsoft-Windows-Kernel-General.md
author: Florian Roth (Nextron Systems)
date: 2017-05-15
modified: 2024-01-18
tags:
    - attack.credential-access
    - attack.t1003.002
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID: 16
        Provider_Name: Microsoft-Windows-Kernel-General
        HiveName|contains:
            - '\Temp\SAM'
            - '\Temp\SECURITY'
    condition: selection
falsepositives:
    - Unknown
level: high
Showing 1-2 of 2
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin