title: PowerShell SAM Copy
author: Florian Roth
date: 2021/07/29
description: Detects suspicious PowerShell scripts accessing SAM hives
detection:
    SELECTION_1:
        EventID: 1
    SELECTION_2:
        CommandLine: '*\HarddiskVolumeShadowCopy*'
    SELECTION_3:
        CommandLine: '*ystem32\config\sam*'
    SELECTION_4:
        CommandLine: '*Copy-Item*'
    SELECTION_5:
        CommandLine: '*cp $_.*'
    SELECTION_6:
        CommandLine: '*cpi $_.*'
    SELECTION_7:
        CommandLine: '*copy $_.*'
    SELECTION_8:
        CommandLine: '*.File]::Copy(*'
    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5
        or SELECTION_6 or SELECTION_7 or SELECTION_8))
falsepositives:
- Some rare backup scenarios
- PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs
id: 1af57a4b-460a-4738-9034-db68b880c665
level: high
logsource:
    category: process_creation
    product: windows
references:
- https://twitter.com/splinter_code/status/1420546784250769408
status: experimental
tags:
- attack.credential_access
- attack.t1003.002
yml_filename: win_susp_powershell_sam_access.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation