Skip to content

Hide Navigation Hide TOC

Suspicious Unattend.xml File Access (1a3d42dd-3763-46b9-8025-b5f17f340dfb)

Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process

Cluster A Galaxy A Cluster B Galaxy B Level
Suspicious Unattend.xml File Access (1a3d42dd-3763-46b9-8025-b5f17f340dfb) Sigma-Rules Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 1
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 2