logo

Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: A low risk score is assigned for SAM registry dumping actions

Carbon Black Cloud: A low risk score is assigned for SAM registry dumping actions

Environment

  • Carbon Black Cloud(Formerly PSC) Console: All Supported Versions
    • Endpoint Standard(Formerly CB Defense)
    • Enterprise EDR(Formerly CB ThreatHunter)
    • Workload(Formerly CB Defense for VMware + VMware AppDefense)
    • Audit and Remediation(Formerly CB LiveOps)

Symptoms

  • Below or similar actions are performed: 
    reg.exe save hklm\sam c:\sam_test
reg.exe save helm\system c:\system_test
  • A risk score of 3(Yellow) is assigned and classified under category "Monitored"

Cause

By product design, this activity was incorrectly being marked with a low risk score

Resolution

A new detection has been created to raise a higher scoring alert when a user tries to export SAM registry keys

Additional Notes

The new added detection is valid for both HKLM\sam and HELM\system

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎03-28-2021
Views:
580
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.