Yara Rule - Sam Hive 백업 파일 감지 - Sam은 보안 계정 관리자 - 암호 해시 포함
Yara 정의.
Yara Rule - Detects a SAM hive backup file - SAM is the Security Account Manager - contains password hashes
Yara definition.
Author: Florian Roth
https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-hashes-from-sam-registry
score = 60
nodeepdive = 1
date = "2015-03-31"
modified = "2023-12-06"
$s1 = "\\SystemRoot\\System32\\Config\\SAM" wide
uint32(0) == 0x66676572 and $s1 in (0..200)```
[https://github.com/Neo23x0/signature-base/commit/dbb66b0cbfa9a22a058da2f14328e7cbf5b4a306](https://github.com/Neo23x0/signature-base/commit/dbb66b0cbfa9a22a058da2f14328e7cbf5b4a306)