HackTool - Typical HiveNightmare SAM File Export

Hunt Hypothesis

Adversaries may be exfiltrating SAM file data to extract local account credentials using HiveNightmare exploitation techniques. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential theft and limit lateral movement in their environment.

Detection Rule

Sigma (Original)

title: HackTool - Typical HiveNightmare SAM File Export
id: 6ea858a8-ba71-4a12-b2cc-5d83312404c7
status: test
description: Detects files written by the different tools that exploit HiveNightmare
references:
    - https://github.com/GossiTheDog/HiveNightmare
    - https://github.com/FireFart/hivenightmare/
    - https://github.com/WiredPulse/Invoke-HiveNightmare
    - https://twitter.com/cube0x0/status/1418920190759378944
author: Florian Roth (Nextron Systems)
date: 2021-07-23
modified: 2024-06-27
tags:
    - attack.credential-access
    - attack.t1552.001
    - cve.2021-36934
logsource:
    product: windows
    category: file_event
detection:
    selection:
        - TargetFilename|contains:
              - '\hive_sam_'  # Go version
              - '\SAM-2021-'  # C++ version
              - '\SAM-2022-'  # C++ version
              - '\SAM-2023-'  # C++ version
              - '\SAM-haxx'   # Early C++ versions
              - '\Sam.save'   # PowerShell version
        - TargetFilename: 'C:\windows\temp\sam'  # C# version of HiveNightmare
    condition: selection
falsepositives:
    - Files that accidentally contain these strings
level: high

KQL (Azure Sentinel)

imFileEvent
| where (TargetFileName contains "\\hive_sam_" or TargetFileName contains "\\SAM-2021-" or TargetFileName contains "\\SAM-2022-" or TargetFileName contains "\\SAM-2023-" or TargetFileName contains "\\SAM-haxx" or TargetFileName contains "\\Sam.save") or TargetFileName =~ "C:\\windows\\temp\\sam"

False Positive Guidance

• Scenario: A system administrator uses PowerShell to export the SAM file as part of a routine system audit or security compliance check.
  Filter/Exclusion: process.name != "powershell.exe" or process.args !~ "Export-Clixml|Export-Csv"

• Scenario: A scheduled task runs a script that legitimately copies the SAM file to a backup location for forensic analysis.
  Filter/Exclusion: process.name != "schtasks.exe" or process.args !~ "backup|copy|sam"

• Scenario: A Windows Admin Center or Group Policy Management Console (GPMC) tool accesses the SAM file during a configuration audit.
  Filter/Exclusion: process.name != "WindowsAdminCenter.exe" or process.name != "gpmc.msc"

• Scenario: A third-party security tool (e.g., Microsoft Defender for Identity) performs a SAM file export as part of its threat detection workflow.
  Filter/Exclusion: process.name != "Microsoft Defender for Identity" or process.args !~ "sam|export"

• Scenario: A Windows Update or System File Checker (SFC) process temporarily accesses the SAM file during system maintenance.
  Filter/Exclusion: process.name != "svchost.exe" or process.name != "sfc.exe" or process.args !~ "scannow|scan|sam"

MITRE ATT&CK Context

• Tactic: Credential Access
• Technique: T1552.001