Transferring Files with Credential Data via Network Shares

Transferring files with well-known filenames (sensitive files with credential data) using network shares

Sigma rule (View on GitHub)

 1title: Transferring Files with Credential Data via Network Shares
 2id: 910ab938-668b-401b-b08c-b596e80fdca5
 3related:
 4    - id: 2e69f167-47b5-4ae7-a390-47764529eff5
 5      type: similar
 6status: test
 7description: Transferring files with well-known filenames (sensitive files with credential data) using network shares
 8references:
 9    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
10author: Teymur Kheirkhabarov, oscd.community
11date: 2019-10-22
12modified: 2021-11-30
13tags:
14    - attack.credential-access
15    - attack.t1003.002
16    - attack.t1003.001
17    - attack.t1003.003
18logsource:
19    product: windows
20    service: security
21detection:
22    selection:
23        EventID: 5145
24        RelativeTargetName|contains:
25            - '\mimidrv'
26            - '\lsass'
27            - '\windows\minidump\'
28            - '\hiberfil'
29            - '\sqldmpr'
30            - '\sam'
31            - '\ntds.dit'
32            - '\security'
33    condition: selection
34falsepositives:
35    - Transferring sensitive files for legitimate administration work by legitimate administrator
36level: medium

References

Related rules

to-top