SigmaHQ/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml

32 lines
800 B
YAML
Raw Normal View History

title: Suspicious access to sensitive file extensions
2019-11-12 22:12:27 +00:00
id: 91c945bc-2ad1-4799-a591-4d00198a1215
description: Detects known sensitive file extensions
author: Samir Bousseaden
tags:
- attack.collection
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 5145
RelativeTargetName:
- '*.pst'
- '*.ost'
- '*.msg'
- '*.nst'
- '*.oab'
- '*.edb'
- '*.nsf'
- '*.bak'
- '*.dmp'
- '*.kirbi'
- '*\ntds.dit'
- '*\groups.xml'
- '*.rdp'
condition: selection
falsepositives:
- Help Desk operator doing backup or re-imaging end user machine or pentest or backup software
level: high