74 lines
1.8 KiB
YAML
74 lines
1.8 KiB
YAML
title: Credential Access via [TECHNIQUE]
|
|
id: GENERATE-NEW-UUID
|
|
status: experimental
|
|
description: Detects credential theft/dumping using [specific technique/tool]
|
|
references:
|
|
- https://attack.mitre.org/tactics/TA0006/
|
|
author: Your Name
|
|
date: 2024/01/20
|
|
modified: 2024/01/20
|
|
tags:
|
|
- attack.credential_access
|
|
- attack.t1003 # Replace with specific technique
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
# Define your detection criteria
|
|
condition: selection
|
|
falsepositives:
|
|
- Legitimate password reset tools
|
|
- Security assessment tools (authorized)
|
|
level: critical
|
|
fields:
|
|
- User
|
|
- CommandLine
|
|
- TargetImage
|
|
- GrantedAccess
|
|
|
|
# Common Credential Access Techniques:
|
|
#
|
|
# T1003.001 - LSASS Memory Dump
|
|
# logsource:
|
|
# category: process_access
|
|
# detection:
|
|
# selection:
|
|
# TargetImage|endswith: '\lsass.exe'
|
|
# GrantedAccess|contains:
|
|
# - '0x1010'
|
|
# - '0x1410'
|
|
# - '0x147a'
|
|
# - '0x143a'
|
|
#
|
|
# T1003.002 - Security Account Manager (SAM)
|
|
# detection:
|
|
# selection:
|
|
# Image|endswith: '\reg.exe'
|
|
# CommandLine|contains|all:
|
|
# - 'save'
|
|
# - 'HKLM\SAM'
|
|
#
|
|
# T1558.003 - Kerberoasting
|
|
# logsource:
|
|
# category: authentication
|
|
# detection:
|
|
# selection:
|
|
# EventID: 4769
|
|
# ServiceName: '*$'
|
|
# TicketEncryptionType: '0x17'
|
|
#
|
|
# T1110 - Brute Force
|
|
# detection:
|
|
# selection:
|
|
# EventID: 4625 # Failed logon
|
|
# condition: selection | count(TargetUserName) by SourceIp > 10
|
|
#
|
|
# T1555 - Credentials from Password Stores
|
|
# detection:
|
|
# selection:
|
|
# Image|endswith:
|
|
# - '\vaultcmd.exe'
|
|
# - '\cmdkey.exe'
|
|
# CommandLine|contains: '/list'
|