valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
a68d50a5d9
SigmaHQ/rules/windows/builtin/win_protected_storage_service_access.yml
Yugoslavskiy Daniil 5026438524 fix modified field
2020-08-25 01:29:57 +02:00

25 lines
874 B
YAML
Raw Blame History

title: Protected Storage Service Access
id: 45545954-4016-43c6-855e-eae8f1c369dc
description: Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers
status: experimental
date: 2019/08/10
modified: 2020/08/23
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md
tags:
- attack.lateral_movement
- attack.t1021 # an old one
- attack.t1021.002
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
ShareName|contains: 'IPC'
RelativeTargetName: "protected_storage"
condition: selection
falsepositives:
- Unknown
level: critical
Reference in New Issue View Git Blame Copy Permalink