Detectionhightest
Copying Sensitive Files with Credential Data
Files with well-known filenames (sensitive files with credential data) copying
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.communityCreated Tue Oct 22Updated Tue Jun 04e7be6119-fc37-43f0-ad4f-1f3f99be2f9fwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic3 selectors
detection:
selection_esent_img:
- Image|endswith: '\esentutl.exe'
- OriginalFileName: '\esentutl.exe'
selection_esent_cli:
CommandLine|contains|windash:
- 'vss'
- ' /m '
- ' /y '
selection_susp_paths:
CommandLine|contains:
- '\config\RegBack\sam'
- '\config\RegBack\security'
- '\config\RegBack\system'
- '\config\sam'
- '\config\security'
- '\config\system ' # space needed to avoid false positives with \config\systemprofile\
- '\repair\sam'
- '\repair\security'
- '\repair\system'
- '\windows\ntds\ntds.dit'
condition: all of selection_esent_* or selection_susp_pathsFalse Positives
Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic investigator.
MITRE ATT&CK
Tactics
Sub-techniques
Software
CAR Analytics
2013-07-001 · CAR 2013-07-001
Rule Metadata
Rule ID
e7be6119-fc37-43f0-ad4f-1f3f99be2f9f
Status
test
Level
high
Type
Detection
Created
Tue Oct 22
Modified
Tue Jun 04
Path
rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml
Raw Tags
attack.credential-accessattack.t1003.002attack.t1003.003car.2013-07-001attack.s0404