Stored Credentials in Fake Files

 1title: Stored Credentials in Fake Files
 2id: 692b979c-f747-41dc-ad72-1f11c01b110e
 3description: Search for accessing of fake files with stored credentials
 4status: unsupported
 5author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
 6date: 2020/10/05
 7references: 
 8    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-13-638.jpg
 9tags:
10    - attack.credential_access
11    - attack.t1555
12logsource:
13    product: windows
14    service: security
15detection:
16    selection:
17        EventID: 4663
18        AccessList|contains: '%%4416'
19        ObjectName|endswith:
20            - '\%POLICY_ID%\Machine\Preferences\Groups\Groups.xml'
21            - '\%FOLDER_NAME%\Unattend.xml'
22    condition: selection
23fields:
24    - EventID
25    - AccessList
26    - ObjectName
27falsepositives:
28    - Unknown
29level: high```

References

• ÿØÿàJFIF
  
  
  
  ÿâICC_PROFILE
  
   lcmsmntrRGB XYZ Ü
  )9acspAPPLöÖ
  Ó-lcms descü^cprt
  \wtpt
  hbkpt
  |rXYZ
  �gXYZ
  ¤bXYZ
  ¸rTRC
  Ì@gTRC
  Ì@bTRC
  Ì@descc2textFBXYZ öÖ
  Ó-XYZ 3¤XYZ o¢8õ�XYZ b™·…ÚX...

  
  Read More

Related rules

• Failed Logins with Different Accounts from Single Source - Linux
• Sign-in Failure Bad Password Threshold
• Possible Impacket GetUserSPNs Activity
• External Remote Service Logon from Public IP
• Mimikatz Command Line With Ticket Export