Uncommon applications accessing potentially sensitive Sysvol files may indicate lateral movement or privilege escalation by an adversary. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential unauthorized access to critical system resources.
Detection Rule
title: Access To Potentially Sensitive Sysvol Files By Uncommon Applications
id: d51694fe-484a-46ac-92d6-969e76d60d10
related:
- id: 8344c19f-a023-45ff-ad63-a01c5396aea0
type: derived
status: test
description: Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share.
references:
- https://github.com/vletoux/pingcastle
author: frack113
date: 2023-12-21
modified: 2024-07-29
tags:
- attack.credential-access
- attack.t1552.006
logsource:
category: file_access
product: windows
definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
selection:
FileName|startswith: '\\'
FileName|contains|all:
- '\sysvol\'
- '\Policies\'
FileName|endswith:
- 'audit.csv'
- 'Files.xml'
- 'GptTmpl.inf'
- 'groups.xml'
- 'Registry.pol'
- 'Registry.xml'
- 'scheduledtasks.xml'
- 'scripts.ini'
- 'services.xml'
filter_main_generic:
Image|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\system32\'
- 'C:\Windows\SysWOW64\'
filter_main_explorer:
Image: 'C:\Windows\explorer.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
imFileEvent
| where (FileName startswith "\\" and (FileName contains "\\sysvol\\" and FileName contains "\\Policies\\") and (FileName endswith "audit.csv" or FileName endswith "Files.xml" or FileName endswith "GptTmpl.inf" or FileName endswith "groups.xml" or FileName endswith "Registry.pol" or FileName endswith "Registry.xml" or FileName endswith "scheduledtasks.xml" or FileName endswith "scripts.ini" or FileName endswith "services.xml")) and (not(((TargetFilePath startswith "C:\\Program Files (x86)\\" or TargetFilePath startswith "C:\\Program Files\\" or TargetFilePath startswith "C:\\Windows\\system32\\" or TargetFilePath startswith "C:\\Windows\\SysWOW64\\") or TargetFilePath =~ "C:\\Windows\\explorer.exe")))Scenario: A system update or patching tool (e.g., Windows Update, Microsoft Baseline Security Analyzer) accesses Sysvol files during a scheduled maintenance task.
Filter/Exclusion: Exclude file access events where the process name matches svcpack.exe, wusa.exe, or msiexec.exe and the event occurs within a known patching window.
Scenario: A backup application (e.g., Veeam, Acronis) accesses Sysvol files during a scheduled backup job.
Filter/Exclusion: Exclude events where the process name matches veeam.exe, acronisbackup.exe, or vssadmin.exe and the event occurs during a predefined backup window.
Scenario: An administrative task (e.g., Group Policy Object (GPO) editing via gpmc.msc) accesses Sysvol files to retrieve or modify policy settings.
Filter/Exclusion: Exclude events where the process name matches gpmc.exe or gpedit.msc and the file accessed is within the SYSVOL\Policy directory.
Scenario: A third-party application (e.g., Microsoft Intune or Azure AD Connect) accesses Sysvol files to synchronize user or group information.
Filter/Exclusion: Exclude events where the process name matches intunewin.exe, adconnect.exe, or AzureADConnect.exe and the file accessed is within the SYSVOL\AD directory.
Scenario: A script or scheduled job (e.g., Task Scheduler) runs a PowerShell script that accesses Sysvol files for configuration or reporting purposes.
Filter/Exclusion: Exclude events where the process name matches powershell.exe and the command line includes Get-ADObject or Get-GPInheritance, or where the event occurs during a known scheduled job window.