LoFP / files that accidentally contain these strings

Techniques

• t1552
• t1552.001

Sample rules

Typical HiveNightmare SAM File Export

• source: sigma
• technicques:
  • t1552
  • t1552.001

Description

Detects files written by the different tools that exploit HiveNightmare

Detection logic

condition: selection
selection:
- TargetFilename|contains:
  - \hive_sam_
  - \SAM-2021-
  - \SAM-2022-
  - \SAM-2023-
  - \SAM-haxx
  - \Sam.save
- TargetFilename: C:\windows\temp\sam