← Back to Explore
sigmamediumHunting
Transferring Files with Credential Data via Network Shares
Transferring files with well-known filenames (sensitive files with credential data) using network shares
Detection Query
selection_eid:
EventID: 5145
selection_object:
- RelativeTargetName|contains:
- \mimidrv
- \lsass
- \windows\minidump\
- \hiberfil
- \sqldmpr
- RelativeTargetName:
- Windows\NTDS\ntds.dit
- Windows\System32\config\SAM
- Windows\System32\config\SECURITY
- Windows\System32\config\SYSTEM
condition: all of selection_*
Author
Teymur Kheirkhabarov, oscd.community
Created
2019-10-22
Data Sources
windowssecurity
Platforms
windows
References
Tags
attack.credential-accessattack.t1003.002attack.t1003.001attack.t1003.003
Raw Content
title: Transferring Files with Credential Data via Network Shares
id: 910ab938-668b-401b-b08c-b596e80fdca5
related:
- id: 2e69f167-47b5-4ae7-a390-47764529eff5
type: similar
status: test
description: Transferring files with well-known filenames (sensitive files with credential data) using network shares
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-10-22
modified: 2025-07-11
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.001
- attack.t1003.003
logsource:
product: windows
service: security
detection:
selection_eid:
EventID: 5145
selection_object:
- RelativeTargetName|contains:
- '\mimidrv'
- '\lsass'
- '\windows\minidump\'
- '\hiberfil'
- '\sqldmpr'
- RelativeTargetName:
- 'Windows\NTDS\ntds.dit'
- 'Windows\System32\config\SAM'
- 'Windows\System32\config\SECURITY'
- 'Windows\System32\config\SYSTEM'
condition: all of selection_*
falsepositives:
- Transferring sensitive files for legitimate administration work by legitimate administrator
level: medium