Transferring Files with Credential Data via Network Shares - Zeek
Transferring files with well-known filenames (sensitive files with credential data) using network shares
Sigma rule (View on GitHub)
1title: Transferring Files with Credential Data via Network Shares - Zeek
2id: 2e69f167-47b5-4ae7-a390-47764529eff5
3related:
4 - id: 910ab938-668b-401b-b08c-b596e80fdca5
5 type: similar
6status: test
7description: Transferring files with well-known filenames (sensitive files with credential data) using network shares
8references:
9 - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
10author: '@neu5ron, Teymur Kheirkhabarov, oscd.community'
11date: 2020/04/02
12modified: 2021/11/27
13tags:
14 - attack.credential_access
15 - attack.t1003.002
16 - attack.t1003.001
17 - attack.t1003.003
18logsource:
19 product: zeek
20 service: smb_files
21detection:
22 selection:
23 name:
24 - '\mimidrv'
25 - '\lsass'
26 - '\windows\minidump\'
27 - '\hiberfil'
28 - '\sqldmpr'
29 - '\sam'
30 - '\ntds.dit'
31 - '\security'
32 condition: selection
33falsepositives:
34 - Transferring sensitive files for legitimate administration work by legitimate administrator
35level: medium
References
-
Hunting for Credentials Dumping in Windows Environment - Download as a PDF or view online for free
Read More
Related rules
- Possible Impacket SecretDump Remote Activity - Zeek
- Esentutl Volume Shadow Copy Service Keys
- NTDSutil Pulling of NTDS.dit File
- Abnormal LSASS Child and Parent Process Relationships
- Abnormal LSASS Process Access and Injection