Techniques
Sample rules
Access To Windows Outlook Mail Files By Uncommon Application
- source: sigma
- technicques:
- t1070
- t1070.008
Description
Detects file access requests to Windows Outlook Mail by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage
Detection logic
condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
Image|contains:
- :\Program Files (x86)\
- :\Program Files\
- :\Windows\system32\
- :\Windows\SysWOW64\
filter_main_system:
Image: System
filter_optional_defender:
Image|contains: :\ProgramData\Microsoft\Windows Defender\
Image|endswith:
- \MpCopyAccelerator.exe
- \MsMpEng.exe
filter_optional_thor:
Image|endswith:
- \thor64.exe
- \thor.exe
selection_unistore:
FileName|contains: \AppData\Local\Comms\Unistore\data
selection_unistoredb:
FileName|endswith: \AppData\Local\Comms\UnistoreDB\store.vol
Access To Browser Credential Files By Uncommon Application
- source: sigma
- technicques:
- t1003
Description
Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage
Detection logic
condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
Image|contains:
- :\Program Files (x86)\
- :\Program Files\
- :\Windows\system32\
- :\Windows\SysWOW64\
filter_main_system:
Image: System
filter_optional_defender:
Image|contains: :\ProgramData\Microsoft\Windows Defender\
Image|endswith:
- \MpCopyAccelerator.exe
- \MsMpEng.exe
filter_optional_thor:
Image|endswith:
- \thor64.exe
- \thor.exe
selection_chromium:
FileName|contains:
- \Appdata\Local\Chrome\User Data\Default\Login Data
- \AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
- \AppData\Local\Google\Chrome\User Data\Local State
selection_firefox:
FileName|endswith:
- \cookies.sqlite
- release\key3.db
- release\key4.db
- release\logins.json
selection_ie:
FileName|endswith: \Appdata\Local\Microsoft\Windows\WebCache\WebCacheV01.dat