Initial commit

skills/incident-response/detection-sigma/assets/rule-templates/credential-access.yml

@@ -0,0 +1,73 @@
+title: Credential Access via [TECHNIQUE]
+id: GENERATE-NEW-UUID
+status: experimental
+description: Detects credential theft/dumping using [specific technique/tool]
+references:
+    - https://attack.mitre.org/tactics/TA0006/
+author: Your Name
+date: 2024/01/20
+modified: 2024/01/20
+tags:
+    - attack.credential_access
+    - attack.t1003  # Replace with specific technique
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        # Define your detection criteria
+    condition: selection
+falsepositives:
+    - Legitimate password reset tools
+    - Security assessment tools (authorized)
+level: critical
+fields:
+    - User
+    - CommandLine
+    - TargetImage
+    - GrantedAccess
+
+# Common Credential Access Techniques:
+#
+# T1003.001 - LSASS Memory Dump
+# logsource:
+#     category: process_access
+# detection:
+#     selection:
+#         TargetImage|endswith: '\lsass.exe'
+#         GrantedAccess|contains:
+#             - '0x1010'
+#             - '0x1410'
+#             - '0x147a'
+#             - '0x143a'
+#
+# T1003.002 - Security Account Manager (SAM)
+# detection:
+#     selection:
+#         Image|endswith: '\reg.exe'
+#         CommandLine|contains|all:
+#             - 'save'
+#             - 'HKLM\SAM'
+#
+# T1558.003 - Kerberoasting
+# logsource:
+#     category: authentication
+# detection:
+#     selection:
+#         EventID: 4769
+#         ServiceName: '*$'
+#         TicketEncryptionType: '0x17'
+#
+# T1110 - Brute Force
+# detection:
+#     selection:
+#         EventID: 4625  # Failed logon
+#     condition: selection | count(TargetUserName) by SourceIp > 10
+#
+# T1555 - Credentials from Password Stores
+# detection:
+#     selection:
+#         Image|endswith:
+#             - '\vaultcmd.exe'
+#             - '\cmdkey.exe'
+#         CommandLine|contains: '/list'