1type: trigger
2name: sigmahq/proc_creation_win_esentutl_sensitive_file_copy
3description: |
4  Files with well-known filenames (sensitive files with credential data) copying
5filter: |
6  (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Image endsWith '\\esentutl.exe' || evt.Parsed.OriginalFileName == '\\esentutl.exe') && (evt.Parsed.CommandLine contains 'vss' || evt.Parsed.CommandLine contains ' -m ' || evt.Parsed.CommandLine contains ' /m ' || evt.Parsed.CommandLine contains ' –m ' || evt.Parsed.CommandLine contains ' —m ' || evt.Parsed.CommandLine contains ' ―m ' || evt.Parsed.CommandLine contains ' -y ' || evt.Parsed.CommandLine contains ' /y ' || evt.Parsed.CommandLine contains ' –y ' || evt.Parsed.CommandLine contains ' —y ' || evt.Parsed.CommandLine contains ' ―y ') || evt.Parsed.CommandLine contains '\\config\\RegBack\\sam' || evt.Parsed.CommandLine contains '\\config\\RegBack\\security' || evt.Parsed.CommandLine contains '\\config\\RegBack\\system' || evt.Parsed.CommandLine contains '\\config\\sam' || evt.Parsed.CommandLine contains '\\config\\security' || evt.Parsed.CommandLine contains '\\config\\system ' || evt.Parsed.CommandLine contains '\\repair\\sam' || evt.Parsed.CommandLine contains '\\repair\\security' || evt.Parsed.CommandLine contains '\\repair\\system' || evt.Parsed.CommandLine contains '\\windows\\ntds\\ntds.dit')
7blackhole: 2m
8#status: test
9labels:
10  service: windows
11  confidence: 1
12  spoofable: 0
13  classification:
14   - attack.t1003.002
15   - attack.t1003.003
16
17  label: "Copying Sensitive Files with Credential Data"
18  behavior : "windows:audit"
19  remediation: false
20
21scope:
22  type: ParentProcessId
23  expression: evt.Parsed.ParentProcessId
24
25