Copying Sensitive Files with Credential Data

About the rule

Rule Type

Standard

Rule Description

Copying Sensitive Files with Credential Data detects attempts to access and copy files known to contain senstive data such as user credentials, authentication tokens, or password hashes (such as SAM, Security, SYSTEM, browser credential stores, VPN profiles, or configuration files storing secrets). While legitimate tools and processes may access such files under controlled conditions (e.g., system backups or migrations), adversaries often target these files to harvest credentials for further lateral movement or privilege escalation.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access → Credential access → Copying sensitive credential files → Exfiltration → Impact

Impact

• Credential theft
• Privilege escalation
• Lateral movement
• Data exfiltration
• Breach of confidential information

Rule Requirement

Prerequisites

Use the Group Policy Management Console to audit process creation and process termination.

Install Sysmon from Microsoft Sysinternals and download the Sysmon configuration file that includes process creation monitoring. Add network connection events to the configuration file to monitor all network activity.

Create a new registry key "Microsoft-Windows-Sysmon/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\" if not already created.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Credential Access: OS Credential Dumping - NTDS (T1003.003),"Credential Access: OS Credential Dumping - Security Account Manager (T1003.002)"

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.CM-01: Networks and network services are monitored to find potentially adverse events.

When this rule is triggered, you’re notified of an attempt to copy files that are likely to contain credential data. This enables you to review access patterns to sensitive files, investigate the user and process responsible for the action, and rapidly identify attempts to harvest sensitive authentication information for malicious purposes.

PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected.

This rule allows you to detect the tampering of data within sensitive files, which helps you comply with this Subcategory.

Author

Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community

Future actions

Known False Positives

This rule may trigger during legitimate administrative tasks such as system backups, password recovery operations, or sanctioned IT migration activities. Confirm whether the access and copying of credential files was authorized and performed via approved tools.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Reconfiguration: Update monitoring rules and allowlists to distinguish between sanctioned backup processes and suspicious access, and continue to refine detection analytics for sensitive file access trends.

Mitigation