105 lines
5.3 KiB
Plaintext
105 lines
5.3 KiB
Plaintext
{
|
|
"platform": "all",
|
|
"version": "1.0.0",
|
|
"description": "Detect credential dumping and credential access techniques",
|
|
"queries": {
|
|
"mimikatz_execution": {
|
|
"query": "SELECT pid, name, path, cmdline, parent FROM processes WHERE name IN ('mimikatz.exe', 'mimikatz', 'mimilib.dll') OR cmdline LIKE '%sekurlsa%' OR cmdline LIKE '%lsadump%';",
|
|
"interval": 300,
|
|
"description": "Mimikatz execution detection",
|
|
"platform": "windows"
|
|
},
|
|
"lsass_process_access": {
|
|
"query": "SELECT pid, name, path, cmdline, parent FROM processes WHERE name IN ('procdump.exe', 'procdump64.exe', 'pwdump.exe', 'gsecdump.exe') OR cmdline LIKE '%procdump%lsass%' OR cmdline LIKE '%comsvcs.dll%MiniDump%';",
|
|
"interval": 300,
|
|
"description": "LSASS memory dumping tools",
|
|
"platform": "windows"
|
|
},
|
|
"credential_file_access": {
|
|
"query": "SELECT p.name, p.cmdline, pm.path FROM processes p JOIN process_memory_map pm ON p.pid = pm.pid WHERE pm.path IN ('/etc/shadow', '/etc/passwd', '/etc/master.passwd', 'C:\\Windows\\System32\\config\\SAM', 'C:\\Windows\\System32\\config\\SECURITY') AND p.name NOT IN ('sshd', 'login', 'su', 'sudo', 'lsass.exe');",
|
|
"interval": 300,
|
|
"description": "Access to credential storage files"
|
|
},
|
|
"shadow_file_reads": {
|
|
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%/etc/shadow%' AND name NOT IN ('sshd', 'login', 'passwd', 'useradd', 'usermod');",
|
|
"interval": 300,
|
|
"description": "Unauthorized /etc/shadow access",
|
|
"platform": "posix"
|
|
},
|
|
"sam_registry_access": {
|
|
"query": "SELECT key, name, path FROM registry WHERE key LIKE '%SAM%' OR key LIKE '%SECURITY%';",
|
|
"interval": 600,
|
|
"description": "SAM registry key access",
|
|
"platform": "windows"
|
|
},
|
|
"password_search": {
|
|
"query": "SELECT pid, name, cmdline FROM processes WHERE (cmdline LIKE '%grep%password%' OR cmdline LIKE '%find%password%' OR cmdline LIKE '%Select-String%password%' OR cmdline LIKE '%findstr%password%');",
|
|
"interval": 300,
|
|
"description": "Searching for password files"
|
|
},
|
|
"credential_files": {
|
|
"query": "SELECT path, filename, size, mtime FROM file WHERE (filename LIKE '%password%' OR filename LIKE '%credential%' OR filename LIKE '%secret%' OR filename = '.bash_history' OR filename = '.zsh_history' OR filename LIKE '%.pem' OR filename LIKE '%.key') AND (path LIKE '/home/%' OR path LIKE '/Users/%' OR path LIKE 'C:\\Users\\%');",
|
|
"interval": 3600,
|
|
"description": "Credential-related files"
|
|
},
|
|
"browser_credential_theft": {
|
|
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%Login Data%' OR cmdline LIKE '%logins.json%' OR cmdline LIKE '%key4.db%' OR cmdline LIKE '%Cookies%';",
|
|
"interval": 300,
|
|
"description": "Browser credential database access"
|
|
},
|
|
"keychain_access": {
|
|
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%security%dump-keychain%' OR cmdline LIKE '%keychain%' OR name = 'security';",
|
|
"interval": 300,
|
|
"description": "macOS Keychain access",
|
|
"platform": "darwin"
|
|
},
|
|
"dpapi_access": {
|
|
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%dpapi%' OR cmdline LIKE '%CryptUnprotectData%';",
|
|
"interval": 300,
|
|
"description": "Windows DPAPI credential access",
|
|
"platform": "windows"
|
|
},
|
|
"ntds_dit_access": {
|
|
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%ntds.dit%';",
|
|
"interval": 300,
|
|
"description": "Active Directory database access",
|
|
"platform": "windows"
|
|
},
|
|
"kerberos_ticket_theft": {
|
|
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%klist%' OR cmdline LIKE '%kerberos%' OR cmdline LIKE '%kirbi%' OR cmdline LIKE '%ccache%';",
|
|
"interval": 300,
|
|
"description": "Kerberos ticket manipulation"
|
|
},
|
|
"sudo_without_password": {
|
|
"query": "SELECT pid, name, cmdline, uid FROM processes WHERE name = 'sudo' AND cmdline NOT LIKE '%-S%' AND uid != 0;",
|
|
"interval": 300,
|
|
"description": "Sudo usage potentially leveraging cached credentials",
|
|
"platform": "posix"
|
|
},
|
|
"sudoers_file_access": {
|
|
"query": "SELECT path, mtime, ctime FROM file WHERE path IN ('/etc/sudoers', '/etc/sudoers.d') OR path LIKE '/etc/sudoers.d/%';",
|
|
"interval": 3600,
|
|
"description": "Sudoers file modification monitoring",
|
|
"platform": "posix"
|
|
},
|
|
"ssh_private_keys": {
|
|
"query": "SELECT path, filename, mode, uid, gid FROM file WHERE filename LIKE 'id_%' AND path LIKE '%/.ssh/%' AND filename NOT LIKE '%.pub';",
|
|
"interval": 3600,
|
|
"description": "SSH private key files",
|
|
"platform": "posix"
|
|
},
|
|
"powershell_credential_access": {
|
|
"query": "SELECT pid, name, cmdline FROM processes WHERE cmdline LIKE '%Get-Credential%' OR cmdline LIKE '%ConvertFrom-SecureString%' OR cmdline LIKE '%CredentialManager%';",
|
|
"interval": 300,
|
|
"description": "PowerShell credential access commands",
|
|
"platform": "windows"
|
|
},
|
|
"registry_credential_storage": {
|
|
"query": "SELECT key, name, data FROM registry WHERE key LIKE '%Credentials%' OR key LIKE '%Password%';",
|
|
"interval": 3600,
|
|
"description": "Credentials stored in registry",
|
|
"platform": "windows"
|
|
}
|
|
}
|
|
}
|