{
  "platform": "all",
  "version": "1.0.0",
  "description": "Detect credential dumping and credential access techniques",
  "queries": {
    "mimikatz_execution": {
      "query": "SELECT pid, name, path, cmdline, parent FROM processes WHERE name IN ('mimikatz.exe', 'mimikatz', 'mimilib.dll') OR cmdline LIKE '%sekurlsa%' OR cmdline LIKE '%lsadump%';",
      "interval": 300,
      "description": "Mimikatz execution detection",
      "platform": "windows"
    },
    "lsass_process_access": {
      "query": "SELECT pid, name, path, cmdline, parent FROM processes WHERE name IN ('procdump.exe', 'procdump64.exe', 'pwdump.exe', 'gsecdump.exe') OR cmdline LIKE '%procdump%lsass%' OR cmdline LIKE '%comsvcs.dll%MiniDump%';",
      "interval": 300,
      "description": "LSASS memory dumping tools",
      "platform": "windows"
    },
    "credential_file_access": {
      "query": "SELECT p.name, p.cmdline, pm.path FROM processes p JOIN process_memory_map pm ON p.pid = pm.pid WHERE pm.path IN ('/etc/shadow', '/etc/passwd', '/etc/master.passwd', 'C:\\Windows\\System32\\config\\SAM', 'C:\\Windows\\System32\\config\\SECURITY') AND p.name NOT IN ('sshd', 'login', 'su', 'sudo', 'lsass.exe');",
      "interval": 300,
      "description": "Access to credential storage files"
    },
    "shadow_file_reads": {
      "query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%/etc/shadow%' AND name NOT IN ('sshd', 'login', 'passwd', 'useradd', 'usermod');",
      "interval": 300,
      "description": "Unauthorized /etc/shadow access",
      "platform": "posix"
    },
    "sam_registry_access": {
      "query": "SELECT key, name, path FROM registry WHERE key LIKE '%SAM%' OR key LIKE '%SECURITY%';",
      "interval": 600,
      "description": "SAM registry key access",
      "platform": "windows"
    },
    "password_search": {
      "query": "SELECT pid, name, cmdline FROM processes WHERE (cmdline LIKE '%grep%password%' OR cmdline LIKE '%find%password%' OR cmdline LIKE '%Select-String%password%' OR cmdline LIKE '%findstr%password%');",
      "interval": 300,
      "description": "Searching for password files"
    },
    "credential_files": {
      "query": "SELECT path, filename, size, mtime FROM file WHERE (filename LIKE '%password%' OR filename LIKE '%credential%' OR filename LIKE '%secret%' OR filename = '.bash_history' OR filename = '.zsh_history' OR filename LIKE '%.pem' OR filename LIKE '%.key') AND (path LIKE '/home/%' OR path LIKE '/Users/%' OR path LIKE 'C:\\Users\\%');",
      "interval": 3600,
      "description": "Credential-related files"
    },
    "browser_credential_theft": {
      "query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%Login Data%' OR cmdline LIKE '%logins.json%' OR cmdline LIKE '%key4.db%' OR cmdline LIKE '%Cookies%';",
      "interval": 300,
      "description": "Browser credential database access"
    },
    "keychain_access": {
      "query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%security%dump-keychain%' OR cmdline LIKE '%keychain%' OR name = 'security';",
      "interval": 300,
      "description": "macOS Keychain access",
      "platform": "darwin"
    },
    "dpapi_access": {
      "query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%dpapi%' OR cmdline LIKE '%CryptUnprotectData%';",
      "interval": 300,
      "description": "Windows DPAPI credential access",
      "platform": "windows"
    },
    "ntds_dit_access": {
      "query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%ntds.dit%';",
      "interval": 300,
      "description": "Active Directory database access",
      "platform": "windows"
    },
    "kerberos_ticket_theft": {
      "query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%klist%' OR cmdline LIKE '%kerberos%' OR cmdline LIKE '%kirbi%' OR cmdline LIKE '%ccache%';",
      "interval": 300,
      "description": "Kerberos ticket manipulation"
    },
    "sudo_without_password": {
      "query": "SELECT pid, name, cmdline, uid FROM processes WHERE name = 'sudo' AND cmdline NOT LIKE '%-S%' AND uid != 0;",
      "interval": 300,
      "description": "Sudo usage potentially leveraging cached credentials",
      "platform": "posix"
    },
    "sudoers_file_access": {
      "query": "SELECT path, mtime, ctime FROM file WHERE path IN ('/etc/sudoers', '/etc/sudoers.d') OR path LIKE '/etc/sudoers.d/%';",
      "interval": 3600,
      "description": "Sudoers file modification monitoring",
      "platform": "posix"
    },
    "ssh_private_keys": {
      "query": "SELECT path, filename, mode, uid, gid FROM file WHERE filename LIKE 'id_%' AND path LIKE '%/.ssh/%' AND filename NOT LIKE '%.pub';",
      "interval": 3600,
      "description": "SSH private key files",
      "platform": "posix"
    },
    "powershell_credential_access": {
      "query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%Get-Credential%' OR cmdline LIKE '%ConvertFrom-SecureString%' OR cmdline LIKE '%CredentialManager%';",
      "interval": 300,
      "description": "PowerShell credential access commands",
      "platform": "windows"
    },
    "registry_credential_storage": {
      "query": "SELECT key, name, data FROM registry WHERE key LIKE '%Credentials%' OR key LIKE '%Password%';",
      "interval": 3600,
      "description": "Credentials stored in registry",
      "platform": "windows"
    }
  }
}