yara-lApache-2.0from chronicle/detection-rules

sap_sensitive_tables_direct_access_by_rfc_logon_static_list

Detects direct access to highly sensitive SAP tables (USR02, PAYR, P0002) via RFC logon. This specifically monitors for potential theft of user hashes (USR02), payroll data (PAYR), or personal employee information (P0002).

Quality

FP risk

—

Forks

Views

ATT&CK techniques

T1005

Rule source🔒 locked

title: ████████████████████████
id: ████████-████-████-████-████████████
status: ██████████
description: ██████████████████████████████████████████
             ████████████████████████████████████████
author: ████████
tags:
  - attack.████
  - attack.████
logsource:
  product: ████████
  category: ████████████
detection:
  selection:
    Image|endswith: '████████████████'
    CommandLine|contains:
      - '████████████████████████'
      - '████████████████████████'
      - '██████████████████'
  condition: selection
level: ████████
falsepositives:
  - ████████████████████

🔒

Sign in to view the rule source

Free accounts can view the source for the top-ranked rules. Create one in seconds — no credit card required.