Detectionhightest
HackTool - Typical HiveNightmare SAM File Export
Detects files written by the different tools that exploit HiveNightmare
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems)Created Fri Jul 23Updated Thu Jun 276ea858a8-ba71-4a12-b2cc-5d83312404c7windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic1 selector
detection:
selection:
- TargetFilename|contains:
- '\hive_sam_' # Go version
- '\SAM-2021-' # C++ version
- '\SAM-2022-' # C++ version
- '\SAM-2023-' # C++ version
- '\SAM-haxx' # Early C++ versions
- '\Sam.save' # PowerShell version
- TargetFilename: 'C:\windows\temp\sam' # C# version of HiveNightmare
condition: selectionFalse Positives
Files that accidentally contain these strings
MITRE ATT&CK
Rule Metadata
Rule ID
6ea858a8-ba71-4a12-b2cc-5d83312404c7
Status
test
Level
high
Type
Detection
Created
Fri Jul 23
Modified
Thu Jun 27
Path
rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml
Raw Tags
attack.credential-accessattack.t1552.001cve.2021-36934