sigmamediumHunting

Transferring Files with Credential Data via Network Shares - Zeek

Transferring files with well-known filenames (sensitive files with credential data) using network shares

MITRE ATT&CK

credential-access

Detection Query

selection:
  name:
    - \mimidrv
    - \lsass
    - \windows\minidump\
    - \hiberfil
    - \sqldmpr
    - \sam
    - \ntds.dit
    - \security
condition: selection

Author

@neu5ron, Teymur Kheirkhabarov, oscd.community

Created

2020-04-02

Data Sources

zeeksmb_files

Platforms

zeek

References

https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment

Tags

attack.credential-accessattack.t1003.002attack.t1003.001attack.t1003.003

Raw Content

title: Transferring Files with Credential Data via Network Shares - Zeek
id: 2e69f167-47b5-4ae7-a390-47764529eff5
related:
    - id: 910ab938-668b-401b-b08c-b596e80fdca5
      type: similar
status: test
description: Transferring files with well-known filenames (sensitive files with credential data) using network shares
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: '@neu5ron, Teymur Kheirkhabarov, oscd.community'
date: 2020-04-02
modified: 2021-11-27
tags:
    - attack.credential-access
    - attack.t1003.002
    - attack.t1003.001
    - attack.t1003.003
logsource:
    product: zeek
    service: smb_files
detection:
    selection:
        name:
            - '\mimidrv'
            - '\lsass'
            - '\windows\minidump\'
            - '\hiberfil'
            - '\sqldmpr'
            - '\sam'
            - '\ntds.dit'
            - '\security'
    condition: selection
falsepositives:
    - Transferring sensitive files for legitimate administration work by legitimate administrator
level: medium