```yaml title: Registry Hive Credential Dump id: edr-win-cred-reg-hive-dump status: stable description: > Detects reg.exe saving SAM, SECURITY, or SYSTEM hives from HKLM. Adversaries export these hives for offline credential extraction — NTLM hashes from SAM, LSA secrets from SECURITY, and the boot key from SYSTEM. Common across Akira, Qilin, and Chaos operations. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a - https://attack.mitre.org/techniques/T1003/002/ author: ShroudCloud date: 2026/04/14 modified: 2026/04/14 tags: - attack.credential_access - attack.t1003.002 logsource: category: process_creation product: windows detection: selection: Image|endswith: '\reg.exe' CommandLine|contains: 'save' CommandLine|contains: 'hklm' CommandLine|contains: - 'sam' - 'security' - 'system' filter_legit: CommandLine|contains: - 'Rapid7' - 'VMware' - 'Omnissa' - 'ir_agent.exe' - '\TSS_' condition: selection and not filter_legit falsepositives: - IR agents collecting forensic data - VMware/Omnissa system tools - Microsoft TSS diagnostic collections level: medium ```