Carbon Black Cloud: A low risk score is assigned for SAM registry dumping actions
book
Article ID: 290744
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Environment
- Carbon Black Cloud(Formerly PSC) Console: All Supported Versions
- Endpoint Standard(Formerly CB Defense)
- Enterprise EDR(Formerly CB ThreatHunter)
- Workload(Formerly CB Defense for VMware + VMware AppDefense)
- Audit and Remediation(Formerly CB LiveOps)
Cause
By product design, this activity was incorrectly being marked with a low risk score
Resolution
A new detection has been created to raise a higher scoring alert when a user tries to export SAM registry keys
Additional Information
The new added detection is valid for both HKLM\sam and HELM\system
Feedback
thumb_up
Yes
thumb_down
No