Suspicious Access to Sensitive File Extensions - Zeek
Detects known sensitive file extensions via Zeek
Sigma rule (View on GitHub)
1title: Suspicious Access to Sensitive File Extensions - Zeek
2id: 286b47ed-f6fe-40b3-b3a8-35129acd43bc
3related:
4 - id: 91c945bc-2ad1-4799-a591-4d00198a1215
5 type: derived
6status: test
7description: Detects known sensitive file extensions via Zeek
8references:
9 - Internal Research
10author: Samir Bousseaden, @neu5ron
11date: 2020/04/02
12modified: 2021/11/27
13tags:
14 - attack.collection
15logsource:
16 product: zeek
17 service: smb_files
18detection:
19 selection:
20 name|endswith:
21 - '.pst'
22 - '.ost'
23 - '.msg'
24 - '.nst'
25 - '.oab'
26 - '.edb'
27 - '.nsf'
28 - '.bak'
29 - '.dmp'
30 - '.kirbi'
31 - '\groups.xml'
32 - '.rdp'
33 condition: selection
34falsepositives:
35 - Help Desk operator doing backup or re-imaging end user machine or backup software
36 - Users working with these data types or exchanging message files
37level: medium
References
Related rules
- Cisco Collect Data
- Suspicious Access to Sensitive File Extensions
- Screen Capture Activity Via Psr.EXE
- ADFS Database Named Pipe Connection By Uncommon Tool
- Copy From Or To Admin Share Or Sysvol Folder