Suspicious Access to Sensitive File Extensions
Detects known sensitive file extensions accessed on a network share
Sigma rule (View on GitHub)
1title: Suspicious Access to Sensitive File Extensions
2id: 91c945bc-2ad1-4799-a591-4d00198a1215
3related:
4 - id: 286b47ed-f6fe-40b3-b3a8-35129acd43bc
5 type: similar
6status: test
7description: Detects known sensitive file extensions accessed on a network share
8references:
9 - Internal Research
10author: Samir Bousseaden
11date: 2019-04-03
12modified: 2022-10-09
13tags:
14 - attack.collection
15 - attack.t1039
16logsource:
17 product: windows
18 service: security
19detection:
20 selection:
21 EventID: 5145
22 RelativeTargetName|endswith:
23 - '.bak'
24 - '.dmp'
25 - '.edb'
26 - '.kirbi'
27 - '.msg'
28 - '.nsf'
29 - '.nst'
30 - '.oab'
31 - '.ost'
32 - '.pst'
33 - '.rdp'
34 - '\groups.xml'
35 condition: selection
36falsepositives:
37 - Help Desk operator doing backup or re-imaging end user machine or backup software
38 - Users working with these data types or exchanging message files
39level: medium
References
Related rules
- Copy From Or To Admin Share Or Sysvol Folder
- 7Zip Compressing Dump Files
- ADFS Database Named Pipe Connection By Uncommon Tool
- AWS EC2 VM Export Failure
- Audio Capture