Transferring Files with Credential Data via Network Shares
Transferring files with well-known filenames (sensitive files with credential data) using network shares
Sigma rule (View on GitHub)
1title: Transferring Files with Credential Data via Network Shares
2id: 910ab938-668b-401b-b08c-b596e80fdca5
3related:
4 - id: 2e69f167-47b5-4ae7-a390-47764529eff5
5 type: similar
6status: test
7description: Transferring files with well-known filenames (sensitive files with credential data) using network shares
8references:
9 - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
10author: Teymur Kheirkhabarov, oscd.community
11date: 2019-10-22
12modified: 2025-07-11
13tags:
14 - attack.credential-access
15 - attack.t1003.002
16 - attack.t1003.001
17 - attack.t1003.003
18logsource:
19 product: windows
20 service: security
21detection:
22 selection_eid:
23 EventID: 5145
24 selection_object:
25 - RelativeTargetName|contains:
26 - '\mimidrv'
27 - '\lsass'
28 - '\windows\minidump\'
29 - '\hiberfil'
30 - '\sqldmpr'
31 - RelativeTargetName:
32 - 'Windows\NTDS\ntds.dit'
33 - 'Windows\System32\config\SAM'
34 - 'Windows\System32\config\SECURITY'
35 - 'Windows\System32\config\SYSTEM'
36 condition: all of selection_*
37falsepositives:
38 - Transferring sensitive files for legitimate administration work by legitimate administrator
39level: medium
References
-
The document discusses credential dumping techniques in Windows environments, highlighting methods used by various threat actor groups to extract sensitive information from systems, including tools like Mimikatz and WCE. It emphasizes the importance of detecting such activities through system logs (Sysmon and Windows Event Logs) and outlines potential data sources such as LSASS memory, SAM registry hives, and other offline methods. Additionally, it touches on the use of native Windows features for monitoring and auditing access to sensitive data, providing practical guidance for detecting credential extraction attempts. - Download as a PDF, PPTX or view online for free
Read More
Related rules
- Transferring Files with Credential Data via Network Shares - Zeek
- Antivirus Password Dumper Detection
- Credential Dumping Tools Service Execution - Security
- Credential Dumping Tools Service Execution - System
- HackTool - Credential Dumping Tools Named Pipe Created