Credentials In Files
Detecting attempts to extract passwords with grep and laZagne
Sigma rule (View on GitHub)
1title: Credentials In Files
2id: 53b1b378-9b06-4992-b972-dde6e423d2b4
3status: test
4description: Detecting attempts to extract passwords with grep and laZagne
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
7author: 'Igor Fits, Mikhail Larin, oscd.community'
8date: 2020/10/19
9modified: 2021/11/27
10tags:
11 - attack.credential_access
12 - attack.t1552.001
13logsource:
14 product: macos
15 category: process_creation
16detection:
17 selection1:
18 Image|endswith: '/grep'
19 CommandLine|contains: 'password'
20 selection2:
21 CommandLine|contains: 'laZagne'
22 condition: 1 of selection*
23falsepositives:
24 - Unknown
25level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Kerberos Network Traffic RC4 Ticket Encryption
- Possible Impacket SecretDump Remote Activity - Zeek
- Suspicious History File Operations
- Password Dumper Activity on LSASS
- Time Travel Debugging Utility Usage