PowerShell SAM Copy activity

Last updated on:

About the rule

Rule Type

Standard

Rule Description

Detects suspicious PowerShell scripts accessing SAM hives

Severity

Trouble

Rule Requirement

Criteria

Action1: actionname = "Process started" AND (COMMANDLINE contains "\HarddiskVolumeShadowCopy" AND COMMANDLINE contains "System32\config\sam" AND COMMANDLINE contains "Copy-Item,cp $_.,cpi $_.,copy $_.,.File]::Copy(") select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID

Detection

Execution Mode

realtime

Log Sources

Active Directory

Author

@Florian Roth (Nextron Systems)