splApache-2.0from splunk/security_content
Linux Auditd Private Keys and Certificate Enumeration
The following analytic detects suspicious attempts to find private keys, which may indicate an attacker's effort to access sensitive cryptographic information. Private keys are crucial for securing encrypted communications and data, and unauthorized access to them can lead to severe security breaches, including data decryption and identity theft. By monitoring for unusual or unauthorized searches for private keys, this analytic helps identify potential threats to cryptographic security, enabling security teams to take swift action to protect the integrity and confidentiality of encrypted information.
Quality
0
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml
`linux_auditd` execve_command IN ("*find*", "*grep*") AND execve_command IN ("*.pem*", "*.cer*", "*.crt*", "*.pgp*", "*.key*", "*.gpg*", "*.ppk*", "*.p12*", "*.pfx*", "*.p7b*")
| rename host as dest
| rename comm as process_name
| rename exe as process
| stats count min(_time) as firstTime max(_time) as lastTime
BY argc execve_command dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_private_keys_and_certificate_enumeration_filter`