mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 18:23:52 +00:00
31 lines
759 B
YAML
31 lines
759 B
YAML
title: Suspicious access to sensitive file extensions
|
|
description: Detects known sensitive file extensions
|
|
author: Samir Bousseaden
|
|
tags:
|
|
- attack.collection
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
detection:
|
|
selection:
|
|
EventID:
|
|
- 5145
|
|
RelativeTargetName:
|
|
- '*.pst'
|
|
- '*.ost'
|
|
- '*.msg'
|
|
- '*.nst'
|
|
- '*.oab'
|
|
- '*.edb'
|
|
- '*.nsf'
|
|
- '*.bak'
|
|
- '*.dmp'
|
|
- '*.kirbi'
|
|
- '*\ntds.dit'
|
|
- '*\groups.xml'
|
|
- '*.rdp'
|
|
condition: selection
|
|
falsepositives:
|
|
- Help Desk operator doing backup or re-imaging end user machine or pentest or backup software
|
|
level: high
|