file_access

Access To .Reg/.Hive Files By Uncommon Application

Oct 28, 2023 · attack.t1112 attack.defense_evasion ·

Detects file access requests to files ending with either the ".hive"/".reg" extension, usually associated with Windows Registry backups.

Access To Browser Credential Files By Uncommon Application

Oct 28, 2023 · attack.t1003 attack.credential_access ·

Share on:

Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage

Access To Windows Credential History File By Uncommon Application

Sep 15, 2023 · attack.credential_access attack.t1555.004 ·

Share on:

Detects file access requests to the Windows Credential History File by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function

Access To Windows DPAPI Master Keys By Uncommon Application

Sep 15, 2023 · attack.credential_access attack.t1555.004 ·

Share on:

Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function

Credential Manager Access By Uncommon Application

Sep 15, 2023 · attack.t1003 attack.credential_access ·

Share on:

Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function