LoFP LoFP / powershell scripts fixing hivenightmare / serioussam acls

Techniques

Sample rules

PowerShell SAM Copy

Description

Detects suspicious PowerShell scripts accessing SAM hives

Detection logic

condition: all of selection*
selection_1:
  CommandLine|contains|all:
  - \HarddiskVolumeShadowCopy
  - System32\config\sam
selection_2:
  CommandLine|contains:
  - Copy-Item
  - cp $_.
  - cpi $_.
  - copy $_.
  - .File]::Copy(