Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Suspicious Access to Sensitive File Extensions - Zeek

Detects known sensitive file extensions via Zeek

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Samir BousseadenCreated Thu Apr 02Updated Fri Oct 17286b47ed-f6fe-40b3-b3a8-35129acd43bcnetwork
Log Source
Zeek (Bro)smb_files
ProductZeek (Bro)← raw: zeek
Servicesmb_files← raw: smb_files
Detection Logic
Detection Logic1 selector
detection:
    selection:
        name|endswith:
            - '.pst'
            - '.ost'
            - '.msg'
            - '.nst'
            - '.oab'
            - '.edb'
            - '.nsf'
            - '.bak'
            - '.dmp'
            - '.kirbi'
            # - '\groups.xml'  # Commented out: groups.xml is accessed legitimately by Group Policy processing; high FP rate in enterprise environments
            - '.rdp'
    condition: selection
False Positives

Help Desk operator doing backup or re-imaging end user machine or backup software

Users working with these data types or exchanging message files

References
1
Resolving title…
Internal Research
MITRE ATT&CK
Related Rules
DerivedDetectionmedium

Suspicious Access to Sensitive File Extensions

Detects known sensitive file extensions accessed on a network share

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
286b47ed-f6fe-40b3-b3a8-35129acd43bc
Status
test
Level
medium
Type
Detection
Created
Thu Apr 02
Modified
Fri Oct 17
Author
Samir Bousseaden
Path
rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml
Raw Tags
attack.collection
View on GitHub