Techniques
Sample rules
Transferring Files with Credential Data via Network Shares
- source: sigma
- technicques:
- t1003
- t1003.001
- t1003.002
- t1003.003
Description
Transferring files with well-known filenames (sensitive files with credential data) using network shares
Detection logic
condition: all of selection_*
selection_eid:
EventID: 5145
selection_object:
- RelativeTargetName|contains:
- \mimidrv
- \lsass
- \windows\minidump\
- \hiberfil
- \sqldmpr
- RelativeTargetName:
- Windows\NTDS\ntds.dit
- Windows\System32\config\SAM
- Windows\System32\config\SECURITY
- Windows\System32\config\SYSTEM
Transferring Files with Credential Data via Network Shares - Zeek
- source: sigma
- technicques:
- t1003
- t1003.001
- t1003.002
- t1003.003
Description
Transferring files with well-known filenames (sensitive files with credential data) using network shares
Detection logic
condition: selection
selection:
name:
- \mimidrv
- \lsass
- \windows\minidump\
- \hiberfil
- \sqldmpr
- \sam
- \ntds.dit
- \security