
Summary
The rule 'SAM Database File Access Attempt' is designed to detect unauthorized attempts to access critical Windows database files, specifically the SAM, SYSTEM, or SECURITY files located in the `windows\system32\config` directory. Utilizing Windows Security Event logs, this detection focuses on EventCode 4663, which logs an access attempt to an object. The detection logic filters for these specific objects and excludes known benign processes such as `dllhost.exe`, focusing instead on potential credential access attempts that could exploit vulnerabilities like CVE-2021-36934. Detection of these access attempts is critical as they may signify an attacker's efforts to extract user passwords, leading to unauthorized access and further compromise of the system. Proper implementation involves configuring the necessary Group Policy settings to enable auditing of object access, thus ensuring relevant logs are collected and analyzed.
Categories
- Windows
- Endpoint
Data Sources
- Windows Registry
- Windows Registry
ATT&CK Techniques
- T1003.002
- T1003
Created: 2024-11-13