Sigma Rules
13 rules found
Credential Manager Access By Uncommon Applications
Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function
Access To Windows Credential History File By Uncommon Applications
Detects file access requests to the Windows Credential History File by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function
Access To Crypto Currency Wallets By Uncommon Applications
Detects file access requests to crypto currency files by uncommon processes. Could indicate potential attempt of crypto currency wallet stealing.
Access To Windows DPAPI Master Keys By Uncommon Applications
Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function
Access To Potentially Sensitive Sysvol Files By Uncommon Applications
Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share.
Suspicious File Access to Browser Credential Storage
Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts. Adversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies. This behavior is often commonly observed in credential stealing malware.
Microsoft Teams Sensitive File Access By Uncommon Applications
Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process.
Access To Chromium Browsers Sensitive Files By Uncommon Applications
Detects file access requests to chromium based browser sensitive files by uncommon processes. Could indicate potential attempt of stealing sensitive information.
Access To Browser Credential Files By Uncommon Applications
Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage
Access To Windows Outlook Mail Files By Uncommon Applications
Detects file access requests to Windows Outlook Mail by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage
Access To Sysvol Policies Share By Uncommon Process
Detects file access requests to the Windows Sysvol Policies Share by uncommon processes
Access To .Reg/.Hive Files By Uncommon Applications
Detects file access requests to files ending with either the ".hive"/".reg" extension, usually associated with Windows Registry backups.
Unattend.XML File Access Attempt
Detects attempts to access the "unattend.xml" file, where credentials might be stored. This file is used during the unattended windows install process.