SigmaHQ/rules/windows/builtin/win_susp_sam_dump.yml

24 lines
640 B
YAML
Raw Normal View History

2018-01-27 09:57:30 +00:00
title: SAM Dump to AppData
2019-11-12 22:12:27 +00:00
id: 839dd1e8-eda8-4834-8145-01beeee33acd
status: experimental
description: Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers
2018-07-24 04:34:20 +00:00
tags:
2018-07-24 05:50:32 +00:00
- attack.credential_access
- attack.t1003 # an old one
2020-06-16 20:46:08 +00:00
- attack.t1003.002
2018-09-04 12:56:55 +00:00
author: Florian Roth
date: 2018/01/27
logsource:
product: windows
service: system
definition: The source of this type of event is Kernel-General
detection:
selection:
EventID: 16
Message:
- '*\AppData\Local\Temp\SAM-*.dmp *'
condition: selection
2018-07-24 04:34:20 +00:00
falsepositives:
- Penetration testing
level: high