44 lines
946 B
YAML
44 lines
946 B
YAML
|
|
title: Suspicious Access to Sensitive File Extensions
|
|
author: Samir Bousseaden
|
|
date: 2019/04/03
|
|
description: Detects known sensitive file extensions accessed on a network share
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 5145
|
|
SELECTION_2:
|
|
RelativeTargetName:
|
|
- '*.pst'
|
|
- '*.ost'
|
|
- '*.msg'
|
|
- '*.nst'
|
|
- '*.oab'
|
|
- '*.edb'
|
|
- '*.nsf'
|
|
- '*.bak'
|
|
- '*.dmp'
|
|
- '*.kirbi'
|
|
- '*\groups.xml'
|
|
- '*.rdp'
|
|
condition: (SELECTION_1 and SELECTION_2)
|
|
falsepositives:
|
|
- Help Desk operator doing backup or re-imaging end user machine or pentest or backup
|
|
software
|
|
- Users working with these data types or exchanging message files
|
|
fields:
|
|
- ComputerName
|
|
- SubjectDomainName
|
|
- SubjectUserName
|
|
- RelativeTargetName
|
|
id: 91c945bc-2ad1-4799-a591-4d00198a1215
|
|
level: medium
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
modified: 2021/08/09
|
|
status: experimental
|
|
tags:
|
|
- attack.collection
|
|
- attack.t1039
|
|
ruletype: SIGMA
|