-
-
Notifications
You must be signed in to change notification settings - Fork 205
Expand file tree
/
Copy pathcredential_access_potential_sam_hive_dumping.yml
More file actions
73 lines (71 loc) · 3.36 KB
/
credential_access_potential_sam_hive_dumping.yml
File metadata and controls
73 lines (71 loc) · 3.36 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
name: Potential SAM hive dumping
id: 2f326557-0291-4eb1-a87a-7a17b7d941cb
version: 1.0.8
description:
Identifies access to the Security Account Manager registry hives.
labels:
tactic.id: TA0006
tactic.name: Credential Access
tactic.ref: https://attack.mitre.org/tactics/TA0006/
technique.id: T1003
technique.name: OS Credential Dumping
technique.ref: https://attack.mitre.org/techniques/T1003/
subtechnique.id: T1003.002
subtechnique.name: Security Account Manager
subtechnique.ref: https://attack.mitre.org/techniques/T1003/002/
references:
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-hashes-from-sam-registry
condition: >
sequence
maxspan 10m
by ps.uuid
|spawn_process and
not (ps.parent.exe imatches
(
'?:\\Program Files\\*.exe',
'?:\\Program Files (x86)\\*.exe',
'?:\\Windows\\System32\\svchost.exe'
) or
(ps.cmdline imatches '"?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe" ExecuteQueuedItems /LegacyServiceBehavior') or
(ps.exe imatches '?:\\WINDOWS\\system32\\wevtutil.exe' and ps.parent.exe imatches '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe')
)
|
|open_registry and
registry.path imatches 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\*' and
registry.path not imatches
(
'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users',
'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names',
'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\WDAGUtilityAccount\\ChannelReferences',
'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account',
'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Account\\Aliases\\*'
) and
ps.exe not imatches
(
'?:\\Windows\\System32\\lsass.exe',
'?:\\Windows\\System32\\RuntimeBroker.exe',
'?:\\Windows\\explorer.exe',
'?:\\Windows\\System32\\Taskmgr.exe',
'?:\\Windows\\System32\\sihost.exe',
'?:\\Windows\\System32\\SearchIndexer.exe',
'?:\\Windows\\System32\\SearchProtocolHost.exe',
'?:\\Windows\\System32\\svchost.exe',
'?:\\Windows\\System32\\services.exe',
'?:\\Windows\\System32\\taskhostw.exe',
'?:\\Windows\\System32\\backgroundTaskHost.exe',
'?:\\Windows\\System32\\WerFault.exe',
'?:\\Windows\\System32\\ctfmon.exe',
'?:\\Windows\\System32\\Wbem\\WmiPrvSE.exe',
'?:\\Windows\\System32\\CompatTelRunner.exe',
'?:\\Windows\\System32\\cleanmgr.exe',
'?:\\Windows\\System32\\MoUsoCoreWorker.exe',
'?:\\Windows\\System32\\lpremove.exe',
'?:\\Windows\\System32\\LogonUI.exe',
'?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe',
'?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MpDefenderCoreService.exe',
'?:\\Windows\\System32\\ApplicationFrameHost.exe',
'?:\\Windows\\System32\\wbem\\WMIADAP.exe',
'?:\\Windows\\System32\\cleanmgr.exe'
)
|
min-engine-version: 3.0.0