Security Account Manager

let SAMRegistryDump = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "reg.exe"
| where ProcessCommandLine has_all ("save", "hklm\\sam") 
    or ProcessCommandLine has_all ("save", "hklm\\system")
    or ProcessCommandLine has_all ("save", "hklm\\security")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName;
let SAMShadowCopyAccess = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("esentutl.exe", "ntdsutil.exe")
| where ProcessCommandLine has_any ("sam", "ntds", "shadow")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName;
let MimikatzSAM = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any ("lsadump::sam", "lsadump::cache", "sekurlsa::msv")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine;
let VSSForSAM = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "vssadmin.exe"
| where ProcessCommandLine has_any ("create shadow", "list shadows")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine;
union SAMRegistryDump, SAMShadowCopyAccess, MimikatzSAM, VSSForSAM
| sort by Timestamp desc

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval IsSAMDump=case(
    match(lower(Image), "reg\.exe") AND match(lower(CommandLine), "save.*(hklm\\sam|hklm\\system|hklm\\security)"), 1,
    match(lower(CommandLine), "lsadump::sam|lsadump::cache|sekurlsa::msv"), 1,
    match(lower(Image), "vssadmin\.exe") AND match(lower(CommandLine), "create shadow|list shadow"), 1,
    match(lower(Image), "(esentutl|ntdsutil)\.exe") AND match(lower(CommandLine), "(sam|ntds|shadow)"), 1,
    1==1, 0
  )
| where IsSAMDump=1
| eval DumpMethod=case(
    match(lower(Image), "reg\.exe"), "RegistryExport",
    match(lower(CommandLine), "lsadump|sekurlsa"), "Mimikatz",
    match(lower(Image), "vssadmin"), "ShadowCopy",
    match(lower(Image), "esentutl|ntdsutil"), "ESENTool",
    1==1, "Other"
  )
| table _time, host, Image, CommandLine, User, DumpMethod
| sort - _time

sequence by host.name with maxspan=5m
  [process where event.type == "start" and
   (
     (process.name : "reg.exe" and process.args : ("save", "hklm\\sam", "hklm\\system", "hklm\\security")) or
     (process.name : ("esentutl.exe", "ntdsutil.exe") and process.args : ("sam", "ntds", "shadow")) or
     (process.command_line : ("*lsadump::sam*", "*lsadump::cache*", "*sekurlsa::msv*")) or
     (process.name : "vssadmin.exe" and process.args : ("create", "shadow", "list"))
   )
  ] by process.entity_id

SELECT DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime, sourceip, username, "Process Name", "Command", CATEGORYNAME(category) AS Category, LOGSOURCENAME(logsourceid) AS LogSource
FROM events
WHERE LOGSOURCETYPEID IN (12, 13, 14)
  AND (
    (LOWER("Process Name") LIKE '%reg.exe%' AND (LOWER("Command") LIKE '%save%hklm\\sam%' OR LOWER("Command") LIKE '%save%hklm\\system%' OR LOWER("Command") LIKE '%save%hklm\\security%'))
    OR (LOWER("Command") LIKE '%lsadump::sam%' OR LOWER("Command") LIKE '%lsadump::cache%' OR LOWER("Command") LIKE '%sekurlsa::msv%')
    OR (LOWER("Process Name") LIKE '%vssadmin.exe%' AND (LOWER("Command") LIKE '%create shadow%' OR LOWER("Command") LIKE '%list shadow%'))
    OR (LOWER("Process Name") LIKE '%esentutl.exe%' AND (LOWER("Command") LIKE '%sam%' OR LOWER("Command") LIKE '%shadow%'))
    OR (LOWER("Process Name") LIKE '%ntdsutil.exe%' AND LOWER("Command") LIKE '%sam%')
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| parse field=CommandLine "*" as cmd nodrop
| parse field=Image "*" as img nodrop
| where (toLower(img) matches "*reg.exe" and (toLower(cmd) matches "*save*hklm\\sam*" or toLower(cmd) matches "*save*hklm\\system*" or toLower(cmd) matches "*save*hklm\\security*"))
  or (toLower(cmd) matches "*lsadump::sam*" or toLower(cmd) matches "*lsadump::cache*" or toLower(cmd) matches "*sekurlsa::msv*")
  or (toLower(img) matches "*vssadmin.exe" and (toLower(cmd) matches "*create shadow*" or toLower(cmd) matches "*list shadow*"))
  or ((toLower(img) matches "*esentutl.exe" or toLower(img) matches "*ntdsutil.exe") and (toLower(cmd) matches "*sam*" or toLower(cmd) matches "*shadow*" or toLower(cmd) matches "*ntds*"))
| eval DumpMethod = if(toLower(img) matches "*reg.exe", "RegistryExport",
    if(toLower(cmd) matches "*lsadump*" or toLower(cmd) matches "*sekurlsa*", "Mimikatz",
    if(toLower(img) matches "*vssadmin*", "ShadowCopy",
    if(toLower(img) matches "*esentutl*" or toLower(img) matches "*ntdsutil*", "ESENTool", "Unknown"))))
| fields _messageTime, Computer, User, img, cmd, DumpMethod
| sort by _messageTime desc

rule t1003_002_sam_credential_dumping {
  meta:
    author = "Detection Engineering"
    description = "Detects SAM database credential dumping via registry export, Mimikatz, VSS shadow copy, or ESENTUTL/NTDSUTIL abuse"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1003.002"
    severity = "CRITICAL"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path != ""
    (
      (
        re.regex($e.principal.process.file.full_path, `(?i)reg\.exe$`) and
        (
          re.regex($e.target.process.command_line, `(?i)save.*hklm\\sam`) or
          re.regex($e.target.process.command_line, `(?i)save.*hklm\\system`) or
          re.regex($e.target.process.command_line, `(?i)save.*hklm\\security`)
        )
      ) or
      re.regex($e.target.process.command_line, `(?i)(lsadump::sam|lsadump::cache|sekurlsa::msv)`) or
      (
        re.regex($e.principal.process.file.full_path, `(?i)vssadmin\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(create shadow|list shadow)`)
      ) or
      (
        re.regex($e.principal.process.file.full_path, `(?i)(esentutl|ntdsutil)\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(sam|ntds|shadow)`)
      )
    )

  condition:
    $e
}

#event_simpleName=ProcessRollup2
| case {
    ImageFileName = /(?i)\\reg\.exe$/ AND CommandLine = /(?i)save.*(hklm\\sam|hklm\\system|hklm\\security)/ | DumpMethod := "RegistryExport";
    CommandLine = /(?i)(lsadump::sam|lsadump::cache|sekurlsa::msv)/ | DumpMethod := "Mimikatz";
    ImageFileName = /(?i)\\vssadmin\.exe$/ AND CommandLine = /(?i)(create shadow|list shadow)/ | DumpMethod := "ShadowCopy";
    ImageFileName = /(?i)\\(esentutl|ntdsutil)\.exe$/ AND CommandLine = /(?i)(sam|ntds|shadow)/ | DumpMethod := "ESENTool";
    * | DumpMethod := "Unknown"
  }
| DumpMethod != "Unknown"
| groupBy([ComputerName, UserName, ImageFileName, CommandLine, DumpMethod], function=[count(aid, as=EventCount), min(timestamp, as=FirstSeen), max(timestamp, as=LastSeen)])
| sort(LastSeen, order=desc)