Access To Potentially Sensitive Sysvol Files By Uncommon Application
Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share.
Sigma rule (View on GitHub)
1title: Access To Potentially Sensitive Sysvol Files By Uncommon Application
2id: d51694fe-484a-46ac-92d6-969e76d60d10
3related:
4 - id: 8344c19f-a023-45ff-ad63-a01c5396aea0
5 type: derived
6status: experimental
7description: Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share.
8references:
9 - https://github.com/vletoux/pingcastle
10author: frack113
11date: 2023/12/21
12tags:
13 - attack.credential_access
14 - attack.t1552.006
15logsource:
16 category: file_access
17 product: windows
18 definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
19detection:
20 selection:
21 FileName|startswith: '\\'
22 FileName|contains|all:
23 - '\sysvol\'
24 - '\Policies\'
25 FileName|endswith:
26 - 'audit.csv'
27 - 'Files.xml'
28 - 'GptTmpl.inf'
29 - 'groups.xml'
30 - 'Registry.pol'
31 - 'Registry.xml'
32 - 'scheduledtasks.xml'
33 - 'scripts.ini'
34 - 'services.xml'
35 filter_main_generic:
36 Image|startswith:
37 - ':\Program Files (x86)\'
38 - ':\Program Files\'
39 - ':\Windows\explorer.exe'
40 - ':\Windows\system32\'
41 - ':\Windows\SysWOW64\'
42 condition: selection and not 1 of filter_main_*
43falsepositives:
44 - Unknown
45level: medium
References
Related rules
- Findstr GPP Passwords
- LSASS Process Reconnaissance Via Findstr.EXE
- Permission Misconfiguration Reconnaissance Via Findstr.EXE
- Suspicious SYSVOL Domain Group Policy Access
- Suspicious SYSTEM User Process Creation