title: LOLBAS Chinese APT Credential Theft Save Registry SAM and System
id: ea519d6b-0daf-4b9c-b258-cfa5f482bd79
status: experimental
description: Detects the usage of "reg.exe" in order to save registry sam and system.
references:
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
author: SIMKRA, @SIMKRA202
date: 2023/11/11
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_flag:
        CommandLine|contains: 'save'
    selection_key:
        CommandLine|contains:
            - 'reg save hklm\sam ss.dat' 
            - 'reg save hklm\system sy.dat'
            - 'reg save hklm\system'
            - 'reg save hklm\sam'
    condition: all of selection_*
falsepositives:
    - not known
level: high