← Back to Explore
sigmahighHunting
HackTool - Typical HiveNightmare SAM File Export
Detects files written by the different tools that exploit HiveNightmare
Detection Query
selection:
- TargetFilename|contains:
- \hive_sam_
- \SAM-2021-
- \SAM-2022-
- \SAM-2023-
- \SAM-haxx
- \Sam.save
- TargetFilename: C:\windows\temp\sam
condition: selection
Author
Florian Roth (Nextron Systems)
Created
2021-07-23
Data Sources
windowsFile Events
Platforms
windows
References
Tags
attack.credential-accessattack.t1552.001cve.2021-36934
Raw Content
title: HackTool - Typical HiveNightmare SAM File Export
id: 6ea858a8-ba71-4a12-b2cc-5d83312404c7
status: test
description: Detects files written by the different tools that exploit HiveNightmare
references:
- https://github.com/GossiTheDog/HiveNightmare
- https://github.com/FireFart/hivenightmare/
- https://github.com/WiredPulse/Invoke-HiveNightmare
- https://twitter.com/cube0x0/status/1418920190759378944
author: Florian Roth (Nextron Systems)
date: 2021-07-23
modified: 2024-06-27
tags:
- attack.credential-access
- attack.t1552.001
- cve.2021-36934
logsource:
product: windows
category: file_event
detection:
selection:
- TargetFilename|contains:
- '\hive_sam_' # Go version
- '\SAM-2021-' # C++ version
- '\SAM-2022-' # C++ version
- '\SAM-2023-' # C++ version
- '\SAM-haxx' # Early C++ versions
- '\Sam.save' # PowerShell version
- TargetFilename: 'C:\windows\temp\sam' # C# version of HiveNightmare
condition: selection
falsepositives:
- Files that accidentally contain these strings
level: high