valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update process_creation_grabbing_sensitive_hives_via_reg.yml

Browse Source
This commit is contained in:
yugoslavskiy 2019-11-11 23:22:25 +03:00 committed by GitHub
parent 6b98c37910
commit cad0e30933
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 13 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
rules/windows/process_creation/process_creation_grabbing_sensitive_hives_via_reg.yml
View File

@ -1,9 +1,11 @@
title: Grabbing sensitive hives via reg utility
description: Dump sam, system and security hives using REG.exe utility
author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
description: Dump sam, system or security hives using REG.exe utility
author: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community
date: 2019/10/22
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md
tags:
- attack.credential_access
- attack.t1003
@ -14,18 +16,20 @@ logsource:
detection:
selection_1:
NewProcessName: '*\reg.exe'
CommandLine|contains: save
CommandLine|contains:
- 'save'
- 'export'
selection_2:
- CommandLine|contains:
CommandLine|contains:
- 'hklm'
- 'hkey_local_machine'
selection_3:
CommandLine|contains:
- 'system'
- 'sam'
- 'security'
CommandLine|endswith:
- '\system'
- '\sam'
- '\security'
condition: selection_1 and selection_2 and selection_3
falsepositives:
- Dumping hives for legitimate purpouse like backup or forensic investigation
- Dumping hives for legitimate purpouse i.e. backup or forensic investigation
level: medium
status: experimental