SigmaHQ/rules/windows/builtin/win_susp_sam_dump.yml

title: SAM Dump to AppData
status: experimental
description: Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers
tags:
    - attack.credential_access
    - attack.t1003
author: Florian Roth
logsource:
    product: windows
    service: system
    definition: The source of this type of event is Kernel-General
detection:
    selection:
        EventID: 16
    keywords:
        - '*\AppData\Local\Temp\SAM-*.dmp *'
    condition: all of them
falsepositives:
    - Penetration testing
level: high
Massive Title Cleanup 2018-01-27 09:57:30 +00:00			`title: SAM Dump to AppData`
Rules: Password dumper activity and lateral movement 2017-03-27 13:20:50 +00:00			`status: experimental`
			`description: Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers`
windows builtin mitre attack tags 2018-07-24 04:34:20 +00:00			`tags:`
Add tags to windows builtin rules 2018-07-24 05:50:32 +00:00			`- attack.credential_access`
			`- attack.t1003`
fix: duplicate 'tag' key in rule 2018-09-04 12:56:55 +00:00			`author: Florian Roth`
Rules: Password dumper activity and lateral movement 2017-03-27 13:20:50 +00:00			`logsource:`
			`product: windows`
			`service: system`
Replace "logsource: description" with "definition" to match the specs 2018-11-15 06:00:06 +00:00			`definition: The source of this type of event is Kernel-General`
Rules: Password dumper activity and lateral movement 2017-03-27 13:20:50 +00:00			`detection:`
			`selection:`
			`EventID: 16`
Fixed parse errors 2017-08-02 20:49:15 +00:00			`keywords:`
			`- '\AppData\Local\Temp\SAM-.dmp *'`
Simplified rule conditions with new condition constructs 2018-03-06 22:14:43 +00:00			`condition: all of them`
windows builtin mitre attack tags 2018-07-24 04:34:20 +00:00			`falsepositives:`
Rules: Password dumper activity and lateral movement 2017-03-27 13:20:50 +00:00			`- Penetration testing`
			`level: high`