Threat Huntlowtest

Unattend.XML File Access Attempt

Detects attempts to access the "unattend.xml" file, where credentials might be stored. This file is used during the unattended windows install process.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Mon Jul 2276a26006-0942-430b-8249-bd51d448f8e5windows

Hunting Hypothesis

Log Source

Windowsfile_access

ProductWindows← raw: windows

Categoryfile_access← raw: file_access

Definition

Requirements: Microsoft-Windows-Kernel-File ETW provider

Detection Logic

detection:
    selection:
        FileName|endswith: '\Panther\unattend.xml'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Sub-techniques

T1552.001 · Credentials In Files

Other

detection.threat-hunting

Rule Metadata

Rule ID

76a26006-0942-430b-8249-bd51d448f8e5

Status

test

Level

low

Type

Threat Hunt

Created

Mon Jul 22

Author

François Hubaut

Path

rules-threat-hunting/windows/file/file_access/file_access_win_susp_unattend_xml.yml

Raw Tags

attack.credential-accessattack.t1552.001detection.threat-hunting

View on GitHub