Techniques
Sample rules
Samsam Test File Write
- source: splunk
- technicques:
- T1486
Description
The search looks for a file named “test.txt” written to the windows system directory tree, which is consistent with Samsam propagation.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_name) as file_name from datamodel=Endpoint.Filesystem where Filesystem.file_path=*\\windows\\system32\\test.txt by Filesystem.file_path
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `samsam_test_file_write_filter`