Techniques
Sample rules
Suspicious Access to Sensitive File Extensions - Zeek
- source: sigma
- technicques:
Description
Detects known sensitive file extensions via Zeek
Detection logic
condition: selection
selection:
name|endswith:
- .pst
- .ost
- .msg
- .nst
- .oab
- .edb
- .nsf
- .bak
- .dmp
- .kirbi
- \groups.xml
- .rdp
Suspicious Access to Sensitive File Extensions
- source: sigma
- technicques:
- t1039
Description
Detects known sensitive file extensions accessed on a network share
Detection logic
condition: selection
selection:
EventID: 5145
RelativeTargetName|endswith:
- .bak
- .dmp
- .edb
- .kirbi
- .msg
- .nsf
- .nst
- .oab
- .ost
- .pst
- .rdp
- \groups.xml