Detectionhightest
Potential SAM Database Dump
Detects the creation of files that look like exports of the local SAM (Security Account Manager)
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems)Created Fri Feb 11Updated Thu Jan 054e87b8e2-2ee9-4b2a-a715-4727d297ece0windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic1 selector
detection:
selection:
- TargetFilename|endswith:
- '\Temp\sam'
- '\sam.sav'
- '\Intel\sam'
- '\sam.hive'
- '\Perflogs\sam'
- '\ProgramData\sam'
- '\Users\Public\sam'
- '\AppData\Local\sam'
- '\AppData\Roaming\sam'
- '_ShadowSteal.zip' # https://github.com/HuskyHacks/ShadowSteal
- '\Documents\SAM.export' # https://github.com/n3tsurge/CVE-2021-36934/
- ':\sam'
- TargetFilename|contains:
- '\hive_sam_' # https://github.com/FireFart/hivenightmare
- '\sam.save'
- '\sam.export'
- '\~reg_sam.save'
- '\sam_backup'
- '\sam.bck'
- '\sam.backup'
condition: selectionFalse Positives
Rare cases of administrative activity
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
4e87b8e2-2ee9-4b2a-a715-4727d297ece0
Status
test
Level
high
Type
Detection
Created
Fri Feb 11
Modified
Thu Jan 05
Path
rules/windows/file/file_event/file_event_win_sam_dump.yml
Raw Tags
attack.credential-accessattack.t1003.002