Transferring Files with Credential Data via Network Shares

Severity: medium
Author: Teymur Kheirkhabarov, oscd.community
Source: upstream

Transferring files with well-known filenames (sensitive files with credential data) using network shares

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1003.001` OS Credential Dumping: LSASS Memory, `T1003.002` OS Credential Dumping: Security Account Manager, `T1003.003` OS Credential Dumping: NTDS

Event coverage

Provider	Event ID	Title
Security-Auditing	5145	A network share object was checked to see whether client can be granted desired access.

Stages and Predicates

Stage 1: `all of selection_eid`

Stage 2: `all of selection_object`

or:
RelativeTargetName: 'Windows\NTDS\ntds.dit'
RelativeTargetName: 'Windows\System32\config\SAM'
RelativeTargetName: 'Windows\System32\config\SECURITY'
RelativeTargetName: 'Windows\System32\config\SYSTEM'
RelativeTargetName|contains: '\hiberfil'
RelativeTargetName|contains: '\lsass'
RelativeTargetName|contains: '\mimidrv'
RelativeTargetName|contains: '\sqldmpr'
RelativeTargetName|contains: '\windows\minidump\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`RelativeTargetName`	eq	`Windows\NTDS\ntds.dit` `Windows\System32\config\SAM` `Windows\System32\config\SECURITY` `Windows\System32\config\SYSTEM`
`RelativeTargetName`	match	`\hiberfil` `\lsass` `\mimidrv` `\sqldmpr` `\windows\minidump\`

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.

Potential Machine Account Relay Attack via SMB [elastic] (cross-vendor) (adds 6 filters) (first-stage match only; downstream stages may differ)
Executable File Written in Administrative SMB Share [splunk] (cross-vendor) (adds 5 filters) (first-stage match only; downstream stages may differ)
High Frequency Copy Of Files In Network Share [splunk] (cross-vendor) (adds 5 filters) (first-stage match only; downstream stages may differ)
PetitPotam Network Share Access Request [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Possible PetitPotam Coerce Authentication Attempt [sigma] (adds 4 filters) (first-stage match only; downstream stages may differ)
Remote Task Creation via ATSVC Named Pipe [sigma] (adds 3 filters) (first-stage match only; downstream stages may differ)
Possible Impacket SecretDump Remote Activity [sigma] (adds 3 filters) (first-stage match only; downstream stages may differ)
Windows Network Access Suspicious desktop.ini Action [sigma] (adds 3 filters) (first-stage match only; downstream stages may differ)
Remote Service Activity via SVCCTL Named Pipe [sigma] (adds 3 filters) (first-stage match only; downstream stages may differ)
DCERPC SMB Spoolss Named Pipe [sigma] (adds 2 filters) (first-stage match only; downstream stages may differ)
Impacket PsExec Execution [sigma] (adds 2 filters) (first-stage match only; downstream stages may differ)
Protected Storage Service Access [sigma] (adds 2 filters) (first-stage match only; downstream stages may differ)
SMB Create Remote File Admin Share [sigma] (adds 2 filters) (first-stage match only; downstream stages may differ)
Suspicious PsExec Execution [sigma] (adds 2 filters) (first-stage match only; downstream stages may differ)
DCOM InternetExplorer.Application Iertutil DLL Hijack - Security [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
First Time Seen Remote Named Pipe [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
Suspicious Access to Sensitive File Extensions [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
T1047 Wmiprvse Wbemcomn DLL Hijack [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)