Access To Potentially Sensitive Sysvol Files By Uncommon Applications

 1title: Access To Potentially Sensitive Sysvol Files By Uncommon Applications
 2id: d51694fe-484a-46ac-92d6-969e76d60d10
 3related:
 4    - id: 8344c19f-a023-45ff-ad63-a01c5396aea0
 5      type: derived
 6status: experimental
 7description: Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share.
 8references:
 9    - https://github.com/vletoux/pingcastle
10author: frack113
11date: 2023-12-21
12modified: 2024-07-29
13tags:
14    - attack.credential-access
15    - attack.t1552.006
16logsource:
17    category: file_access
18    product: windows
19    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
20detection:
21    selection:
22        FileName|startswith: '\\'
23        FileName|contains|all:
24            - '\sysvol\'
25            - '\Policies\'
26        FileName|endswith:
27            - 'audit.csv'
28            - 'Files.xml'
29            - 'GptTmpl.inf'
30            - 'groups.xml'
31            - 'Registry.pol'
32            - 'Registry.xml'
33            - 'scheduledtasks.xml'
34            - 'scripts.ini'
35            - 'services.xml'
36    filter_main_generic:
37        Image|startswith:
38            - 'C:\Program Files (x86)\'
39            - 'C:\Program Files\'
40            - 'C:\Windows\system32\'
41            - 'C:\Windows\SysWOW64\'
42    filter_main_explorer:
43        Image: 'C:\Windows\explorer.exe'
44    condition: selection and not 1 of filter_main_*
45falsepositives:
46    - Unknown
47level: medium