Max Altgelt
6f05e33feb
Correct a number of rules where message or keyword were incorrectly used as field names in events (typically windows event logs). However, neither field actually exists and as such these strings could never match.
25 lines
662 B
YAML
25 lines
662 B
YAML
title: SAM Dump to AppData
|
|
id: 839dd1e8-eda8-4834-8145-01beeee33acd
|
|
status: experimental
|
|
description: Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers
|
|
tags:
|
|
- attack.credential_access
|
|
- attack.t1003 # an old one
|
|
- attack.t1003.002
|
|
author: Florian Roth
|
|
date: 2018/01/27
|
|
logsource:
|
|
product: windows
|
|
service: system
|
|
definition: The source of this type of event is Kernel-General
|
|
detection:
|
|
selection:
|
|
EventID: 16
|
|
keywords:
|
|
- '\AppData\Local\Temp\SAM-'
|
|
- '.dmp'
|
|
condition: selection and all of keywords
|
|
falsepositives:
|
|
- Penetration testing
|
|
level: high
|