LoFP / limited false positives as the scope is limited to sam, system and security hives.

Techniques

• T1003
• T1003.002

Sample rules

Detect Copy of ShadowCopy with Script Block Logging

• source: splunk
• technicques:
  • T1003.002
  • T1003

Description

The following analytic detects the use of PowerShell commands to copy the SAM, SYSTEM, or SECURITY hives, which are critical for credential theft. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command executed. This activity is significant as it indicates an attempt to exfiltrate sensitive registry hives for offline password cracking. If confirmed malicious, this could lead to unauthorized access to credentials, enabling further compromise of the system and potential lateral movement within the network.

Detection logic

`powershell` EventCode=4104 ScriptBlockText IN ("*copy*","*[System.IO.File]::Copy*") AND ScriptBlockText IN ("*System32\\config\\SAM*", "*System32\\config\\SYSTEM*","*System32\\config\\SECURITY*") 
| stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText 
| rename Computer as dest 
| rename UserID as user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `detect_copy_of_shadowcopy_with_script_block_logging_filter`