- title: SAM Dump to AppData
id: 839dd1e8-eda8-4834-8145-01beeee33acd
status: experimental
description: Detects suspicious SAM dump activity as cause by QuarksPwDump and other
password dumpers
tags:
- attack.credential_access
- attack.t1003
author: Florian Roth
logsource:
product: windows
service: system
definition: The source of this type of event is Kernel-General
category: null
detection:
selection:
EventID: 16
keywords:
Message:
- '*\AppData\Local\Temp\SAM-*.dmp *'
condition: all of them
falsepositives:
- Penetration testing
level: high
In [ ]:
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd
In [ ]:
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-endpoint-winevent-system-*', doc_type='doc')
In [ ]:
s = searchContext.query('query_string', query='(event_id:"16" AND Message.keyword:(*\\AppData\\Local\\Temp\\SAM\-*.dmp\ *))')
response = s.execute()
if response.success():
df = pd.DataFrame((d.to_dict() for d in s.scan()))
In [ ]:
df.head()