From 8e255bfdaf092eedc3f3df37d36533dc2a90ab29 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Fri, 11 Feb 2022 12:16:40 +0100
Subject: [PATCH] refactor: sam hive dump filename rule

---
 rules/windows/file_event/file_event_sam_dump.yml | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/rules/windows/file_event/file_event_sam_dump.yml b/rules/windows/file_event/file_event_sam_dump.yml
index a07257449..a1b7c55a5 100644
--- a/rules/windows/file_event/file_event_sam_dump.yml
+++ b/rules/windows/file_event/file_event_sam_dump.yml
@@ -21,12 +21,6 @@ detection:
         - TargetFilename|endswith: 
             - '\Temp\sam'
             - '\sam.sav'
-            - '\sam.save'
-            - '\sam.export'
-            - '\~reg_sam.save'
-            - '\sam_backup'
-            - '\sam.bck'
-            - '\sam.backup'
             - '\Intel\sam'
             - '\Perflogs\sam'
             - '\ProgramData\sam'
@@ -34,9 +28,16 @@ detection:
             - '\AppData\Local\sam'
             - '\AppData\Roaming\sam'
             - '_ShadowSteal.zip'       # https://github.com/HuskyHacks/ShadowSteal
-            - '\hive_sam_'             # https://github.com/FireFart/hivenightmare
             - '\Documents\SAM.export'  # https://github.com/n3tsurge/CVE-2021-36934/
         - TargetFilename: 'c:\sam'
+        - TargetFilename|contains:
+            - '\hive_sam_'             # https://github.com/FireFart/hivenightmare
+            - '\sam.save'
+            - '\sam.export'
+            - '\~reg_sam.save'
+            - '\sam_backup'
+            - '\sam.bck'
+            - '\sam.backup'
     condition: selection
 falsepositives:
     - Rare cases of administrative activity