PowerShell SAM Copy
Detects suspicious PowerShell scripts accessing SAM hives
Sigma rule (View on GitHub)
1title: PowerShell SAM Copy
2id: 1af57a4b-460a-4738-9034-db68b880c665
3status: test
4description: Detects suspicious PowerShell scripts accessing SAM hives
5references:
6 - https://twitter.com/splinter_code/status/1420546784250769408
7author: Florian Roth (Nextron Systems)
8date: 2021-07-29
9modified: 2023-01-06
10tags:
11 - attack.credential-access
12 - attack.t1003.002
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_1:
18 CommandLine|contains|all:
19 - '\HarddiskVolumeShadowCopy'
20 - 'System32\config\sam'
21 selection_2:
22 CommandLine|contains:
23 - 'Copy-Item'
24 - 'cp $_.'
25 - 'cpi $_.'
26 - 'copy $_.'
27 - '.File]::Copy('
28 condition: all of selection*
29falsepositives:
30 - Some rare backup scenarios
31 - PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs
32level: high
References
Related rules
- Copying Sensitive Files with Credential Data
- Cred Dump Tools Dropped Files
- Credential Dumping Tools Service Execution - Security
- Credential Dumping Tools Service Execution - System
- Critical Hive In Suspicious Location Access Bits Cleared