32 lines
958 B
YAML
32 lines
958 B
YAML
title: Protected Storage Service Access
|
|
author: Roberto Rodriguez @Cyb3rWard0g
|
|
date: 2019/08/10
|
|
description: Detects access to a protected_storage service over the network. Potential
|
|
abuse of DPAPI to extract domain backup keys from Domain Controllers
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 5145
|
|
SELECTION_2:
|
|
ShareName: '*IPC*'
|
|
SELECTION_3:
|
|
RelativeTargetName: protected_storage
|
|
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
|
|
falsepositives:
|
|
- Unknown
|
|
id: 45545954-4016-43c6-855e-eae8f1c369dc
|
|
level: critical
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
modified: 2020/08/23
|
|
references:
|
|
- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html
|
|
status: experimental
|
|
tags:
|
|
- attack.lateral_movement
|
|
- attack.t1021
|
|
- attack.t1021.002
|
|
yml_filename: win_protected_storage_service_access.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
|
|
|