LoFP / transferring sensitive files for legitimate administration work by legitimate administrator

Techniques

• t1003
• t1003.001
• t1003.002
• t1003.003

Sample rules

Transferring Files with Credential Data via Network Shares - Zeek

• source: sigma
• technicques:
  • t1003
  • t1003.001
  • t1003.002
  • t1003.003

Description

Transferring files with well-known filenames (sensitive files with credential data) using network shares

Detection logic

condition: selection
selection:
  name:
  - \mimidrv
  - \lsass
  - \windows\minidump\
  - \hiberfil
  - \sqldmpr
  - \sam
  - \ntds.dit
  - \security

Transferring Files with Credential Data via Network Shares

• source: sigma
• technicques:
  • t1003
  • t1003.001
  • t1003.002
  • t1003.003

Description

Transferring files with well-known filenames (sensitive files with credential data) using network shares

Detection logic

condition: all of selection_*
selection_eid:
  EventID: 5145
selection_object:
- RelativeTargetName|contains:
  - \mimidrv
  - \lsass
  - \windows\minidump\
  - \hiberfil
  - \sqldmpr
- RelativeTargetName:
  - Windows\NTDS\ntds.dit
  - Windows\System32\config\SAM
  - Windows\System32\config\SECURITY
  - Windows\System32\config\SYSTEM