LoFP LoFP / copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic investigator.

Techniques

Sample rules

Copying Sensitive Files with Credential Data

Description

Files with well-known filenames (sensitive files with credential data) copying

Detection logic

condition: all of selection_esent_* or selection_susp_paths
selection_esent_cli:
  CommandLine|contains|windash:
  - vss
  - ' /m '
  - ' /y '
selection_esent_img:
- Image|endswith: \esentutl.exe
- OriginalFileName: \esentutl.exe
selection_susp_paths:
  CommandLine|contains:
  - \config\RegBack\sam
  - \config\RegBack\security
  - \config\RegBack\system
  - \config\sam
  - \config\security
  - '\config\system '
  - \repair\sam
  - \repair\security
  - \repair\system
  - \windows\ntds\ntds.dit