Typical HiveNightmare SAM File Export
Detects files written by the different tools that exploit HiveNightmare
Sigma rule (View on GitHub)
1title: Typical HiveNightmare SAM File Export
2id: 6ea858a8-ba71-4a12-b2cc-5d83312404c7
3status: test
4description: Detects files written by the different tools that exploit HiveNightmare
5references:
6 - https://github.com/GossiTheDog/HiveNightmare
7 - https://github.com/FireFart/hivenightmare/
8 - https://github.com/WiredPulse/Invoke-HiveNightmare
9 - https://twitter.com/cube0x0/status/1418920190759378944
10author: Florian Roth (Nextron Systems)
11date: 2021/07/23
12modified: 2022/10/09
13tags:
14 - attack.credential_access
15 - attack.t1552.001
16 - cve.2021.36934
17logsource:
18 product: windows
19 category: file_event
20detection:
21 selection:
22 - TargetFilename|contains:
23 - '\hive_sam_' # Go version
24 - '\SAM-2021-' # C++ version
25 - '\SAM-2022-' # C++ version
26 - '\SAM-2023-' # C++ version
27 - '\SAM-haxx' # Early C++ versions
28 - '\Sam.save' # PowerShell version
29 - TargetFilename: 'C:\windows\temp\sam' # C# version of HiveNightmare
30 condition: selection
31falsepositives:
32 - Files that accidentally contain these strings
33level: high
References
-
Exploit allowing you to read registry hives as non-admin on Windows 10 and 11 - GossiTheDog/HiveNightmare
Read More -
Exploit for HiveNightmare - CVE-2021–36934. Contribute to firefart/hivenightmare development by creating an account on GitHub.
Read More -
PoC for CVE-2021-36934, which enables a standard user to be able to retrieve the SAM, Security, and Software Registry hives in Windows 10 version 1809 or newer - WiredPulse/Invoke-HiveNightmare
Read More -
Related rules
- Azure Key Vault Modified or Deleted
- Azure Keyvault Key Modified or Deleted
- Azure Keyvault Secrets Modified or Deleted
- Linux Recon Indicators
- Potential Russian APT Credential Theft Activity