Skip to content

Hide Navigation Hide TOC

Critical Hive In Suspicious Location Access Bits Cleared (39f919f3-980b-4e6f-a975-8af7e507ef2b)

Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset. This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default). Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.

Cluster A Galaxy A Cluster B Galaxy B Level
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern Critical Hive In Suspicious Location Access Bits Cleared (39f919f3-980b-4e6f-a975-8af7e507ef2b) Sigma-Rules 1
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2