EXPLORE
Sign In
← Back to Explore
splunk_escuHunting

Windows Gather Victim Identity SAM Info

The following analytic detects processes loading the samlib.dll or samcli.dll modules, which are often abused to access Security Account Manager (SAM) objects or credentials on domain controllers. This detection leverages Sysmon EventCode 7 to identify these DLLs being loaded outside typical system directories. Monitoring this activity is crucial as it may indicate attempts to gather sensitive identity information. If confirmed malicious, this behavior could allow attackers to obtain credentials, escalate privileges, or further infiltrate the network.

MITRE ATT&CK

T1589.001

Detection Query

`sysmon` EventCode=7  (ImageLoaded = "*\\samlib.dll" AND OriginalFileName = "samlib.dll") OR (ImageLoaded = "*\\samcli.dll" AND OriginalFileName = "SAMCLI.DLL") AND NOT (Image IN("C:\\Windows\\*", "C:\\Program File*", "%systemroot%\\*")) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded dest loaded_file loaded_file_path original_file_name process_exec process_guid process_hash process_id process_name process_path service_dll_signature_exists service_dll_signature_verified signature signature_id user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_identity_sam_info_filter`

Author

Teoderick Contreras, Splunk

Created

2025-05-02

Data Sources

Sysmon EventID 7

References

Tags

Brute Ratel C4
Raw Content
name: Windows Gather Victim Identity SAM Info
id: a18e85d7-8b98-4399-820c-d46a1ca3516f
version: 7
date: '2025-05-02'
author: Teoderick Contreras, Splunk
status: production
type: Hunting
description: The following analytic detects processes loading the samlib.dll or samcli.dll modules, which are often abused to access Security Account Manager (SAM) objects or credentials on domain controllers. This detection leverages Sysmon EventCode 7 to identify these DLLs being loaded outside typical system directories. Monitoring this activity is crucial as it may indicate attempts to gather sensitive identity information. If confirmed malicious, this behavior could allow attackers to obtain credentials, escalate privileges, or further infiltrate the network.
data_source:
    - Sysmon EventID 7
search: '`sysmon` EventCode=7  (ImageLoaded = "*\\samlib.dll" AND OriginalFileName = "samlib.dll") OR (ImageLoaded = "*\\samcli.dll" AND OriginalFileName = "SAMCLI.DLL") AND NOT (Image IN("C:\\Windows\\*", "C:\\Program File*", "%systemroot%\\*")) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded dest loaded_file loaded_file_path original_file_name process_exec process_guid process_hash process_id process_name process_path service_dll_signature_exists service_dll_signature_verified signature signature_id user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_identity_sam_info_filter`'
how_to_implement: The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.
known_false_positives: this module can be loaded by a third party application. Filter is needed.
references:
    - https://redcanary.com/blog/active-breach-evading-defenses/
    - https://strontic.github.io/xcyclopedia/library/samlib.dll-0BDF6351009F6EBA5BA7E886F23263B1.html
tags:
    analytic_story:
        - Brute Ratel C4
    asset_type: Endpoint
    mitre_attack_id:
        - T1589.001
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/loading_samlib/sysmon.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog