Techniques
Sample rules
PowerShell SAM Copy
- source: sigma
- technicques:
- t1003
- t1003.002
Description
Detects suspicious PowerShell scripts accessing SAM hives
Detection logic
condition: all of selection*
selection_1:
CommandLine|contains|all:
- \HarddiskVolumeShadowCopy
- System32\config\sam
selection_2:
CommandLine|contains:
- Copy-Item
- cp $_.
- cpi $_.
- copy $_.
- .File]::Copy(