Suspicious Access to Sensitive File Extensions

calendar Jan 29, 2024 · attack.collection attack.t1039  ·
Share on: linkedin copy

Detects known sensitive file extensions accessed on a network share

Sigma rule (View on GitHub)

 1title: Suspicious Access to Sensitive File Extensions
 2id: 91c945bc-2ad1-4799-a591-4d00198a1215
 3related:
 4    - id: 286b47ed-f6fe-40b3-b3a8-35129acd43bc
 5      type: similar
 6status: test
 7description: Detects known sensitive file extensions accessed on a network share
 8references:
 9    - Internal Research
10author: Samir Bousseaden
11date: 2019/04/03
12modified: 2022/10/09
13tags:
14    - attack.collection
15    - attack.t1039
16logsource:
17    product: windows
18    service: security
19detection:
20    selection:
21        EventID: 5145
22        RelativeTargetName|endswith:
23            - '.bak'
24            - '.dmp'
25            - '.edb'
26            - '.kirbi'
27            - '.msg'
28            - '.nsf'
29            - '.nst'
30            - '.oab'
31            - '.ost'
32            - '.pst'
33            - '.rdp'
34            - '\groups.xml'
35    condition: selection
36falsepositives:
37    - Help Desk operator doing backup or re-imaging end user machine or backup software
38    - Users working with these data types or exchanging message files
39level: medium

References

Related rules

to-top