natively, `dllhost.exe` will access the files. every environment will have additional native processes that do as well. filter by process_name. as an aside, one can remove process_name entirely and add `object_name=*shadowcopy*`.

t1003
t1003.002
endpoint
splunk

Techniques

T1003
T1003.002

Sample rules

SAM Database File Access Attempt

source: splunk
technicques:
- T1003.002
- T1003

Description

The following analytic identifies access to SAM, SYSTEM or SECURITY databases’ within the file path of windows\system32\config using Windows Security EventCode 4663. This particular behavior is related to credential access, an attempt to either use a Shadow Copy or recent CVE-2021-36934 to access the SAM database. The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1 and 10 that stores users’ passwords.

Detection logic

`wineventlog_security` (EventCode=4663)  ProcessName!=*\\dllhost.exe ObjectName IN ("*\\Windows\\System32\\config\\SAM*","*\\Windows\\System32\\config\\SYSTEM*","*\\Windows\\System32\\config\\SECURITY*") 
| stats values(AccessList) count by ProcessName ObjectName dest src_user 
| rename ProcessName as process_name 
| `sam_database_file_access_attempt_filter`