Copying Sensitive Files with Credential Data

calendar Mar 5, 2023 · attack.credential_access attack.t1003.002 attack.t1003.003 car.2013-07-001 attack.s0404  ·
Share on: linkedin copy

Files with well-known filenames (sensitive files with credential data) copying

Sigma rule (View on GitHub)

 1title: Copying Sensitive Files with Credential Data
 2id: e7be6119-fc37-43f0-ad4f-1f3f99be2f9f
 3status: test
 4description: Files with well-known filenames (sensitive files with credential data) copying
 5references:
 6    - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/
 7    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 8    - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
 9author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
10date: 2019/10/22
11modified: 2022/11/11
12tags:
13    - attack.credential_access
14    - attack.t1003.002
15    - attack.t1003.003
16    - car.2013-07-001
17    - attack.s0404
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_esent_img:
23        - Image|endswith: '\esentutl.exe'
24        - OriginalFileName: '\esentutl.exe'
25    selection_esent_cli:
26        CommandLine|contains:
27            - 'vss'
28            - ' /m '
29            - ' /y '
30    selection_susp_paths:
31        CommandLine|contains:
32            - '\windows\ntds\ntds.dit'
33            - '\config\sam'
34            - '\config\security'
35            - '\config\system '        # space needed to avoid false positives with \config\systemprofile\
36            - '\repair\sam'
37            - '\repair\system'
38            - '\repair\security'
39            - '\config\RegBack\sam'
40            - '\config\RegBack\system'
41            - '\config\RegBack\security'
42    condition: all of selection_esent_* or selection_susp_paths
43falsepositives:
44    - Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator
45level: high

References

  • Volume Shadow Copy NTDS.dit Domain Hashes Remotely - Part 1

    This and part 2 are mostly just an update to http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html but without the need for VSSOwn, that and we are doing it remotely without the need for shell on the DC. Ever run into a Domain Controller that wasn’t allowed to talk to the Internet, had insane AV and GPOs not allowing anyone to RDP in (Even Domain Admins) unless they provided some kind of voodo happy dance? Ya me neither, but here is how you can still dump domain hashes and hash history if you run into that case.


    Read More

  • Hunting for Credentials Dumping in Windows Environment

    Hunting for Credentials Dumping in Windows Environment - Download as a PDF or view online for free


    Read More

  • Locked File Access Using ESENTUTL.exe

    I’m currently working on a solution to collect files off a live system to be used during some IR processes. I won’t go into any great detail but I’m limited to only using built-in…


    Read More

Related rules

to-top