Techniques
Sample rules
SAM Database File Access Attempt
- source: splunk
- technicques:
- T1003.002
- T1003
Description
The following analytic identifies access to SAM, SYSTEM or SECURITY databases’ within the file path of windows\system32\config
using Windows Security EventCode 4663. This particular behavior is related to credential access, an attempt to either use a Shadow Copy or recent CVE-2021-36934 to access the SAM database. The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1 and 10 that stores users’ passwords.
Detection logic
`wineventlog_security` (EventCode=4663) ProcessName!=*\\dllhost.exe ObjectName IN ("*\\Windows\\System32\\config\\SAM*","*\\Windows\\System32\\config\\SYSTEM*","*\\Windows\\System32\\config\\SECURITY*")
| stats values(AccessList) count by ProcessName ObjectName dest src_user
| rename ProcessName as process_name
| `sam_database_file_access_attempt_filter`