LoFP LoFP / transferring sensitive files for legitimate administration work by legitimate administrator

Techniques

Sample rules

Transferring Files with Credential Data via Network Shares

Description

Transferring files with well-known filenames (sensitive files with credential data) using network shares

Detection logic

condition: all of selection_*
selection_eid:
  EventID: 5145
selection_object:
- RelativeTargetName|contains:
  - \mimidrv
  - \lsass
  - \windows\minidump\
  - \hiberfil
  - \sqldmpr
- RelativeTargetName:
  - Windows\NTDS\ntds.dit
  - Windows\System32\config\SAM
  - Windows\System32\config\SECURITY
  - Windows\System32\config\SYSTEM

Transferring Files with Credential Data via Network Shares - Zeek

Description

Transferring files with well-known filenames (sensitive files with credential data) using network shares

Detection logic

condition: selection
selection:
  name:
  - \mimidrv
  - \lsass
  - \windows\minidump\
  - \hiberfil
  - \sqldmpr
  - \sam
  - \ntds.dit
  - \security