← Library
sigmaDRL-1.1from SigmaHQ/sigma

HackTool - Typical HiveNightmare SAM File Export

Detects files written by the different tools that exploit HiveNightmare

Quality
98
FP risk
Forks
0
Views
0
ATT&CK techniques
T1552.001
Rule sourcerules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml
title: HackTool - Typical HiveNightmare SAM File Export
id: 6ea858a8-ba71-4a12-b2cc-5d83312404c7
status: test
description: Detects files written by the different tools that exploit HiveNightmare
references:
    - https://github.com/GossiTheDog/HiveNightmare
    - https://github.com/FireFart/hivenightmare/
    - https://github.com/WiredPulse/Invoke-HiveNightmare
    - https://twitter.com/cube0x0/status/1418920190759378944
author: Florian Roth (Nextron Systems)
date: 2021-07-23
modified: 2024-06-27
tags:
    - attack.credential-access
    - attack.t1552.001
    - cve.2021-36934
logsource:
    product: windows
    category: file_event
detection:
    selection:
        - TargetFilename|contains:
              - '\hive_sam_'  # Go version
              - '\SAM-2021-'  # C++ version
              - '\SAM-2022-'  # C++ version
              - '\SAM-2023-'  # C++ version
              - '\SAM-haxx'   # Early C++ versions
              - '\Sam.save'   # PowerShell version
        - TargetFilename: 'C:\windows\temp\sam'  # C# version of HiveNightmare
    condition: selection
falsepositives:
    - Files that accidentally contain these strings
level: high