Techniques
Sample rules
Windows Security Account Manager Stopped
- source: splunk
- technicques:
- T1489
Description
The search looks for a Windows Security Account Manager (SAM) was stopped via command-line. This is consistent with Ryuk infections across a fleet of endpoints.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.process_name"="net*.exe" "Processes.process"="*stop \"samss\"*") BY Processes.dest Processes.user Processes.process Processes.process_guid Processes.process_name
| `drop_dm_object_name(Processes)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `windows_security_account_manager_stopped_filter`