LoFP LoFP / rare cases of administrative activity

Techniques

Sample rules

Potential SAM Database Dump

Description

Detects the creation of files that look like exports of the local SAM (Security Account Manager)

Detection logic

condition: selection
selection:
- TargetFilename|endswith:
  - \Temp\sam
  - \sam.sav
  - \Intel\sam
  - \sam.hive
  - \Perflogs\sam
  - \ProgramData\sam
  - \Users\Public\sam
  - \AppData\Local\sam
  - \AppData\Roaming\sam
  - _ShadowSteal.zip
  - \Documents\SAM.export
  - :\sam
- TargetFilename|contains:
  - \hive_sam_
  - \sam.save
  - \sam.export
  - \~reg_sam.save
  - \sam_backup
  - \sam.bck
  - \sam.backup