splApache-2.0from splunk/security_content
Linux Auditd Find Credentials From Password Managers
The following analytic detects suspicious attempts to find credentials stored in password managers, which may indicate an attacker's effort to retrieve sensitive login information. Password managers are often targeted by adversaries seeking to access stored passwords for further compromise or lateral movement within a network. By monitoring for unusual or unauthorized access to password manager files or processes, this analytic helps identify potential credential theft attempts, enabling security teams to respond quickly to protect critical accounts and prevent further unauthorized access.
Quality
0
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_auditd_find_credentials_from_password_managers.yml
`linux_auditd` execve_command IN ("*find*", "*grep*") AND execve_command IN ("*.kdbx*", "*KeePass*", "*.enforced*", "*.lpdb*", "*.opvault*", "*.agilekeychain*", "*.dashlane*", "*.rfx*", "*passbolt*", "*.spdb*", "*StickyPassword*", "*.walletx*", "*enpass*", "*vault*", "*.kdb*")
| rename host as dest
| rename comm as process_name
| rename exe as process
| stats count min(_time) as firstTime max(_time) as lastTime
BY argc execve_command dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_find_credentials_from_password_managers_filter`