detection.wiki

Detection rules › Sigma

HackTool - Typical HiveNightmare SAM File Export

Severity
high
Author
Florian Roth (Nextron Systems)
Source
upstream

Detects files written by the different tools that exploit HiveNightmare

MITRE ATT&CK coverage

TacticTechniques
Credential AccessT1552.001 Unsecured Credentials: Credentials In Files

Event coverage

ProviderEvent IDTitle
Sysmon11FileCreate

Stages and Predicates

Stage 1: selection

or:
TargetFilename: 'C:\windows\temp\sam'
TargetFilename|contains: '\SAM-2021-'
TargetFilename|contains: '\SAM-2022-'
TargetFilename|contains: '\SAM-2023-'
TargetFilename|contains: '\SAM-haxx'
TargetFilename|contains: '\Sam.save'
TargetFilename|contains: '\hive_sam_'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
TargetFilenameeq
  • C:\windows\temp\sam
TargetFilenamematch
  • \SAM-2021-
  • \SAM-2022-
  • \SAM-2023-
  • \SAM-haxx
  • \Sam.save
  • \hive_sam_ corpus 2 (sigma 2)