Carbon Black Cloud: A low risk score is assigned for SAM registry dumping actions
search cancel

Carbon Black Cloud: A low risk score is assigned for SAM registry dumping actions

book

Article ID: 290744

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

  • Below or similar actions are performed:
    reg.exe save hklm\sam c:\sam_test
    reg.exe save helm\system c:\system_test
  • A risk score of 3(Yellow) is assigned and classified under category "Monitored"

Environment

  • Carbon Black Cloud(Formerly PSC) Console: All Supported Versions
    • Endpoint Standard(Formerly CB Defense)
    • Enterprise EDR(Formerly CB ThreatHunter)
    • Workload(Formerly CB Defense for VMware + VMware AppDefense)
    • Audit and Remediation(Formerly CB LiveOps)

Cause

By product design, this activity was incorrectly being marked with a low risk score

Resolution

A new detection has been created to raise a higher scoring alert when a user tries to export SAM registry keys

Additional Information

The new added detection is valid for both HKLM\sam and HELM\system