Detection rules › Splunk
Windows Gather Victim Identity SAM Info
The following analytic detects processes loading the samlib.dll or samcli.dll modules, which are often abused to access Security Account Manager (SAM) objects or credentials on domain controllers. This detection leverages Sysmon EventCode 7 to identify these DLLs being loaded outside typical system directories. Monitoring this activity is crucial as it may indicate attempts to gather sensitive identity information. If confirmed malicious, this behavior could allow attackers to obtain credentials, escalate privileges, or further infiltrate the network.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Reconnaissance | T1589.001 Gather Victim Identity Information: Credentials |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 7 | Image loaded |
Stages and Predicates
Stage 1: search
search ((NOT Image IN ("%systemroot%\\*", "C:\\Program File*", "C:\\Windows\\*") ImageLoaded="*\\samcli.dll" OriginalFileName="SAMCLI.DLL") OR (ImageLoaded="*\\samlib.dll" OriginalFileName="samlib.dll")) EventCode=7
Stage 2: fillnull
fillnull
Stage 3: stats
stats BY Image, ImageLoaded, dest, loaded_file, loaded_file_path, original_file_name, process_exec, process_guid, process_hash, process_id, process_name, process_path, service_dll_signature_exists, service_dll_signature_verified, signature, signature_id, user_id, vendor_product
Stage 4: search
search
Stage 5: search
search
Stage 6: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
ImageLoaded | eq |
|
OriginalFileName | eq |
|
Neighbors
Broader alternatives (more inclusive than this rule)
These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.
- Windows Remote Access Software BRC4 Loaded Dll (drops 1 filter this rule applies)