Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Transferring Files with Credential Data via Network Shares

Transferring files with well-known filenames (sensitive files with credential data) using network shares

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Teymur Kheirkhabarov, oscd.communityCreated Tue Oct 22Updated Fri Jul 11910ab938-668b-401b-b08c-b596e80fdca5windows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic2 selectors
detection:
    selection_eid:
        EventID: 5145
    selection_object:
        - RelativeTargetName|contains:
              - '\mimidrv'
              - '\lsass'
              - '\windows\minidump\'
              - '\hiberfil'
              - '\sqldmpr'
        - RelativeTargetName:
              - 'Windows\NTDS\ntds.dit'
              - 'Windows\System32\config\SAM'
              - 'Windows\System32\config\SECURITY'
              - 'Windows\System32\config\SYSTEM'
    condition: all of selection_*
False Positives

Transferring sensitive files for legitimate administration work by legitimate administrator

References
1
Resolving title…
slideshare.net
MITRE ATT&CK
Related Rules
SimilarDetectionmedium

Transferring Files with Credential Data via Network Shares - Zeek

Transferring files with well-known filenames (sensitive files with credential data) using network shares

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
910ab938-668b-401b-b08c-b596e80fdca5
Status
test
Level
medium
Type
Detection
Created
Tue Oct 22
Modified
Fri Jul 11
Author
Teymur Kheirkhabarov, oscd.community
Path
rules/windows/builtin/security/win_security_transf_files_with_cred_data_via_network_shares.yml
Raw Tags
attack.credential-accessattack.t1003.002attack.t1003.001attack.t1003.003
View on GitHub