Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0235: Analytic 0235

An adversary running with SYSTEM-level privileges executes commands or accesses registry keys to dump the SAM hive or directly reads sensitive local files from the config directory. This behavior often involves sequential access to HKLM\SAM, HKLM\SYSTEM, and creation of .save or .dmp files, enabling offline hash extraction.

EnterpriseAN0235AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic describes Windows behavior consistent with an adversary using SYSTEM-level access to obtain local credential material by accessing the SAM and SYSTEM registry hives or sensitive files under the Windows config directory. For leaders, the business issue is not the file access itself; it is that local password hashes can support further compromise, persistence, and incident expansion if endpoint privilege controls, monitoring, and response procedures are weak.

Executive priority

Treat this as a high-value validation area for Windows endpoint resilience and incident readiness. Security leaders should ask whether SOC teams can see SYSTEM-context access to sensitive registry hives and related dump or save files, whether responders have a playbook for suspected local credential theft, and whether audit evidence can show controls around privileged access, endpoint logging, and credential protection. Because no ATT&CK detection logic or relationships are supplied, this should be prioritized as a coverage-validation item rather than assumed existing detection coverage.

Technical view

On Windows, validate visibility into SYSTEM-level processes accessing HKLM\SAM and HKLM\SYSTEM and into suspicious creation of registry hive backup or dump artifacts such as .save or .dmp files. Since the ATT&CK object provides no formal detection text, teams should build or review analytics around the sequence and context of sensitive registry/file access rather than relying on a single event. IR teams should confirm they can identify the process, parent process, user/security context, host, command-line or registry access evidence where available, and any resulting files for containment and scoping.

Likely telemetry

  • Windows process creation and parent-child process context
  • Command-line telemetry where collected
  • Registry access telemetry for HKLM\SAM and HKLM\SYSTEM
  • File creation telemetry for .save or .dmp artifacts
  • Endpoint security/EDR events showing SYSTEM-level process activity

Detection direction

  • Validate whether telemetry captures sensitive registry hive access and file creation on Windows endpoints; many environments collect process starts but not detailed registry/file access.
  • Correlate sequential access to HKLM\SAM and HKLM\SYSTEM with creation of dump or save artifacts to reduce noise.
  • Review legitimate administrative, backup, forensic, or security tooling that may access these locations so tuning does not suppress true positives broadly.
  • Prioritize alerts when activity runs as SYSTEM and occurs outside approved maintenance, backup, or incident-response workflows.
  • Because no official detection logic is supplied, test candidate analytics in the local environment before treating them as reliable coverage.

Mitigation priorities

  • Limit and monitor local administrative and SYSTEM-level execution paths on Windows endpoints.
  • Harden endpoint logging and EDR policy to retain process, registry, and file evidence needed for credential-theft investigations.
  • Define an incident response procedure for suspected local credential material access, including host isolation, credential risk assessment, and scoping across related endpoints.
  • Review approved backup, forensic, and administrative tools that legitimately touch registry hives, and document expected behavior for SOC tuning and audit support.
  • Use findings from detection validation to prioritize privileged access management and Windows endpoint hardening improvements.
Analyst notes and limits

The supplied object is a detection analytic for Windows and describes behavior involving SYSTEM-level access to SAM/SYSTEM registry hives and local config files, with possible .save or .dmp artifact creation. No tactics, relationships, labels, aliases, or official detection text were supplied, so the take focuses on defensive validation and response readiness rather than mapping to a broader ATT&CK chain.

This assessment uses only the provided ATT&CK fields, external reference, and absence of relationships. It does not establish active exploitation, actor attribution, prevalence, impact, or guaranteed detectability. Local logging configuration, EDR capabilities, approved administrative workflows, and Windows build/policy differences will determine practical detection quality.

Official MITRE ATT&CK definition

Analytic 0235

An adversary running with SYSTEM-level privileges executes commands or accesses registry keys to dump the SAM hive or directly reads sensitive local files from the config directory. This behavior often involves sequential access to HKLM\SAM, HKLM\SYSTEM, and creation of .save or .dmp files, enabling offline hash extraction.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
934bc696f3c83fd8...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 934bc696f3c8…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0235
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use