2020-01-30 16:26:09 +00:00
|
|
|
title: Suspicious Access to Sensitive File Extensions
|
2019-11-12 22:12:27 +00:00
|
|
|
id: 91c945bc-2ad1-4799-a591-4d00198a1215
|
2020-08-24 23:09:17 +00:00
|
|
|
description: Detects known sensitive file extensions accessed on a network share
|
2019-04-03 11:22:42 +00:00
|
|
|
author: Samir Bousseaden
|
2020-01-30 15:07:37 +00:00
|
|
|
date: 2019/04/03
|
2020-08-24 23:09:17 +00:00
|
|
|
modified: 2020/08/23
|
2019-04-03 11:22:42 +00:00
|
|
|
tags:
|
|
|
|
|
- attack.collection
|
2020-08-24 23:09:17 +00:00
|
|
|
- attack.t1039
|
2019-04-03 11:22:42 +00:00
|
|
|
logsource:
|
|
|
|
|
product: windows
|
|
|
|
|
service: security
|
|
|
|
|
detection:
|
|
|
|
|
selection:
|
|
|
|
|
EventID:
|
|
|
|
|
- 5145
|
2020-10-15 18:51:57 +00:00
|
|
|
RelativeTargetName|endswith:
|
|
|
|
|
- '.pst'
|
|
|
|
|
- '.ost'
|
|
|
|
|
- '.msg'
|
|
|
|
|
- '.nst'
|
|
|
|
|
- '.oab'
|
|
|
|
|
- '.edb'
|
|
|
|
|
- '.nsf'
|
|
|
|
|
- '.bak'
|
|
|
|
|
- '.dmp'
|
|
|
|
|
- '.kirbi'
|
|
|
|
|
- '\groups.xml'
|
|
|
|
|
- '.rdp'
|
2019-04-03 11:22:42 +00:00
|
|
|
condition: selection
|
2020-01-17 14:46:28 +00:00
|
|
|
fields:
|
|
|
|
|
- ComputerName
|
|
|
|
|
- SubjectDomainName
|
|
|
|
|
- SubjectUserName
|
|
|
|
|
- RelativeTargetName
|
2019-04-03 11:22:42 +00:00
|
|
|
falsepositives:
|
|
|
|
|
- Help Desk operator doing backup or re-imaging end user machine or pentest or backup software
|
2020-01-17 14:46:28 +00:00
|
|
|
- Users working with these data types or exchanging message files
|
|
|
|
|
level: medium
|
