security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] NTDS or SAM Database File Copied (#1378)

Browse Source 
* Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml to include esentutl.exe

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
This commit is contained in:
Austin Songer
2021-08-03 15:28:17 -05:00
committed by GitHub
parent 06a9ba6463
commit d2365783fa
1 changed files with 13 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
+13 -7
View File
@@ -1,10 +1,10 @@
[metadata]
creation_date = "2020/11/24"
maturity = "production"
updated_date = "2021/03/03"
updated_date = "2021/07/22"
[rule]
author = ["Elastic"]
author = ["Elastic","Austin Songer"]
description = """
Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files.
Those files contain sensitive information including hashed domain and/or local credentials.
@@ -15,7 +15,10 @@ language = "eql"
license = "Elastic License v2"
max_signals = 33
name = "NTDS or SAM Database File Copied"
references = ["https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/"]
references = [
"https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/",
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy",
]
risk_score = 73
rule_id = "3bc6deaa-fbd4-433a-ae21-3e892f95624f"
severity = "high"
@@ -25,9 +28,13 @@ type = "eql"
query = '''
process where event.type in ("start", "process_started") and
process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE") and
process.args : ("copy", "xcopy", "Copy-Item", "move", "cp", "mv") and
process.args : ("*\\ntds.dit", "*\\config\\SAM", "\\*\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*\\*")
(
(process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE") and
process.args : ("copy", "xcopy", "Copy-Item", "move", "cp", "mv")
) or
(process.pe.original_file_name : "esentutl.exe" and process.args : ("*/y*", "*/vss*", "*/d*"))
) and
process.args : ("*\\ntds.dit", "*\\config\\SAM", "\\*\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*\\*", "*/system32/config/SAM*")
'''
@@ -43,4 +50,3 @@ reference = "https://attack.mitre.org/techniques/T1003/"
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"