splApache-2.0from splunk/security_content
Linux Auditd Find Credentials From Password Stores
The following analytic detects suspicious attempts to find credentials stored in password stores, indicating a potential attacker's effort to access sensitive login information. Password stores are critical repositories that contain valuable credentials, and unauthorized access to them can lead to significant security breaches. By monitoring for unusual or unauthorized activities related to password store access, this analytic helps identify potential credential theft attempts, allowing security teams to respond promptly and prevent unauthorized access to critical systems and data.
Quality
19
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_auditd_find_credentials_from_password_stores.yml
`linux_auditd` execve_command IN ("*find*", "*grep*") AND execve_command IN ("*password*", "*pass *", "*credential*", "*creds*")
| rename host as dest
| rename comm as process_name
| rename exe as process
| stats count min(_time) as firstTime max(_time) as lastTime
BY argc execve_command dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_find_credentials_from_password_stores_filter`