Detectionmediumtest

Suspicious Access to Sensitive File Extensions

Detects known sensitive file extensions accessed on a network share

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Samir BousseadenCreated Wed Apr 03Updated Fri Oct 1791c945bc-2ad1-4799-a591-4d00198a1215windows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Detection Logic

detection:
    selection:
        EventID: 5145
        RelativeTargetName|endswith:
            - '.bak'
            - '.dmp'
            - '.edb'
            - '.kirbi'
            - '.msg'
            - '.nsf'
            - '.nst'
            - '.oab'
            - '.ost'
            - '.pst'
            - '.rdp'
            # - '\groups.xml'  # Commented out: groups.xml is accessed legitimately by Group Policy processing; high FP rate in enterprise environments
    condition: selection

False Positives

Help Desk operator doing backup or re-imaging end user machine or backup software

Users working with these data types or exchanging message files

References

Resolving title…

Internal Research

MITRE ATT&CK

Tactics

TA0009 · Collection

Techniques

T1039 · Data from Network Shared Drive

Related Rules

SimilarDetectionmedium

Suspicious Access to Sensitive File Extensions - Zeek

Detects known sensitive file extensions via Zeek

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

91c945bc-2ad1-4799-a591-4d00198a1215

Status

test

Level

medium

Type

Detection

Created

Wed Apr 03

Modified

Fri Oct 17

Author

Samir Bousseaden

Path

rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml

Raw Tags

attack.collectionattack.t1039

View on GitHub