security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: sam hive dump filename rule

Browse Source
This commit is contained in:
Florian Roth
2022-02-11 12:16:40 +01:00
parent 1bf00333f7
commit 8e255bfdaf
1 changed files with 8 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/file_event/file_event_sam_dump.yml
+8 -7
View File
@@ -21,12 +21,6 @@ detection:
- TargetFilename|endswith:
- '\Temp\sam'
- '\sam.sav'
- '\sam.save'
- '\sam.export'
- '\~reg_sam.save'
- '\sam_backup'
- '\sam.bck'
- '\sam.backup'
- '\Intel\sam'
- '\Perflogs\sam'
- '\ProgramData\sam'
@@ -34,9 +28,16 @@ detection:
- '\AppData\Local\sam'
- '\AppData\Roaming\sam'
- '_ShadowSteal.zip' # https://github.com/HuskyHacks/ShadowSteal
- '\hive_sam_' # https://github.com/FireFart/hivenightmare
- '\Documents\SAM.export' # https://github.com/n3tsurge/CVE-2021-36934/
- TargetFilename: 'c:\sam'
- TargetFilename|contains:
- '\hive_sam_' # https://github.com/FireFart/hivenightmare
- '\sam.save'
- '\sam.export'
- '\~reg_sam.save'
- '\sam_backup'
- '\sam.bck'
- '\sam.backup'
condition: selection
falsepositives:
- Rare cases of administrative activity