Detectionmediumtest
Transferring Files with Credential Data via Network Shares - Zeek
Transferring files with well-known filenames (sensitive files with credential data) using network shares
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
@neu5ron, Teymur Kheirkhabarov, oscd.communityCreated Thu Apr 02Updated Sat Nov 272e69f167-47b5-4ae7-a390-47764529eff5network
Log Source
Zeek (Bro)smb_files
ProductZeek (Bro)← raw: zeek
Servicesmb_files← raw: smb_files
Detection Logic
Detection Logic1 selector
detection:
selection:
name:
- '\mimidrv'
- '\lsass'
- '\windows\minidump\'
- '\hiberfil'
- '\sqldmpr'
- '\sam'
- '\ntds.dit'
- '\security'
condition: selectionFalse Positives
Transferring sensitive files for legitimate administration work by legitimate administrator
References
MITRE ATT&CK
Rule Metadata
Rule ID
2e69f167-47b5-4ae7-a390-47764529eff5
Status
test
Level
medium
Type
Detection
Created
Thu Apr 02
Modified
Sat Nov 27
Path
rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml
Raw Tags
attack.credential-accessattack.t1003.002attack.t1003.001attack.t1003.003