Transferring Files with Credential Data via Network Shares
Transferring files with well-known filenames (sensitive files with credential data) using network shares
Sigma rule (View on GitHub)
1title: Transferring Files with Credential Data via Network Shares
2id: 910ab938-668b-401b-b08c-b596e80fdca5
3related:
4 - id: 2e69f167-47b5-4ae7-a390-47764529eff5
5 type: similar
6status: test
7description: Transferring files with well-known filenames (sensitive files with credential data) using network shares
8references:
9 - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
10author: Teymur Kheirkhabarov, oscd.community
11date: 2019-10-22
12modified: 2021-11-30
13tags:
14 - attack.credential-access
15 - attack.t1003.002
16 - attack.t1003.001
17 - attack.t1003.003
18logsource:
19 product: windows
20 service: security
21detection:
22 selection:
23 EventID: 5145
24 RelativeTargetName|contains:
25 - '\mimidrv'
26 - '\lsass'
27 - '\windows\minidump\'
28 - '\hiberfil'
29 - '\sqldmpr'
30 - '\sam'
31 - '\ntds.dit'
32 - '\security'
33 condition: selection
34falsepositives:
35 - Transferring sensitive files for legitimate administration work by legitimate administrator
36level: medium
References
Related rules
- Cred Dump Tools Dropped Files
- Transferring Files with Credential Data via Network Shares - Zeek
- Antivirus Password Dumper Detection
- Copying Sensitive Files with Credential Data
- Credential Dumping Tools Service Execution - Security