-
-
Notifications
You must be signed in to change notification settings - Fork 208
Expand file tree
/
Copy pathcredentail_access_file_access_to_sam_database.yml
More file actions
39 lines (37 loc) · 1.41 KB
/
credentail_access_file_access_to_sam_database.yml
File metadata and controls
39 lines (37 loc) · 1.41 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
name: File access to SAM database
id: e3dace20-4962-4381-884e-40dcdde66626
version: 1.0.7
description: |
Identifies access to the Security Account Manager on-disk database.
labels:
tactic.id: TA0006
tactic.name: Credential Access
tactic.ref: https://attack.mitre.org/tactics/TA0006/
technique.id: T1003
technique.name: OS Credential Dumping
technique.ref: https://attack.mitre.org/techniques/T1003/
subtechnique.id: T1003.002
subtechnique.name: Security Account Manager
subtechnique.ref: https://attack.mitre.org/techniques/T1003/002/
condition: >
open_file and
file.path imatches
(
'?:\\WINDOWS\\SYSTEM32\\CONFIG\\SAM',
'\\Device\\HarddiskVolumeShadowCopy*\\WINDOWS\\SYSTEM32\\CONFIG\\SAM',
'\\??\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*\\WINDOWS\\SYSTEM32\\CONFIG\\SAM'
) and
ps.exe not imatches
(
'?:\\Program Files\\*',
'?:\\Program Files (x86)\\*',
'?:\\Windows\\System32\\lsass.exe',
'?:\\Windows\\System32\\srtasks.exe',
'?:\\Windows\\System32\\svchost.exe',
'?:\\Windows\\System32\\Dism.exe',
'?:\\Windows\\System32\\vmwp.exe',
'?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe',
'?:\\Windows\\System32\\wuauclt.exe',
'?:\\Windows\\System32\\MRT.exe'
)
min-engine-version: 3.0.0