Correlated file access to insecure credential files (e.g., .env, .xml, *.ps1) followed by suspicious process execution or authentication using retrieved credentials. Detected through Sysmon logs and Windows Security Event logs.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Logon Session Creation (DC0067) | WinEventLog:Security | EventCode=4624 |
| Field | Description |
|---|---|
| FileNamePattern | Patterns like *.env, *credential* can be tuned to reduce noise or catch custom implementations |
| ProcessAccessScope | Defines scope of access (e.g., only untrusted parent processes or high-risk processes) |
| TimeWindow | Time delta between credential file access and use in logon attempt |
File reads or process executions involving insecurely stored credential files (e.g., config files with password fields) by non-root or anomalous users followed by ssh authentication attempts.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | auditd:SYSCALL | open/read of sensitive config or secret files |
| Command Execution (DC0064) | auditd:EXECVE | grep/cat/awk on files with password fields |
| Logon Session Creation (DC0067) | linux:syslog | authentication success after file access |
| Field | Description |
|---|---|
| RegexPatterns | Patterns like password, secret, token can be expanded or customized |
| UserContextScope | Scope of users monitored (e.g., root vs all users) |
| TimeWindow | Time between suspicious file access and credential use |
Terminal-based grep or open of plist/config files containing credentials, correlated with Keychain or system login attempts.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | macos:unifiedlog | grep/cat on files matching credential patterns |
| File Access (DC0055) | macos:unifiedlog | open/read of *.plist or .env files |
| Logon Session Creation (DC0067) | macos:unifiedlog | Keychain or user login post-access |
| Field | Description |
|---|---|
| KeychainToolAccess | Monitor unexpected use of security CLI or Keychain helper binaries |
| FileTypeList | Add or remove watched file types based on system usage |
Container processes accessing mounted secrets or configuration paths (e.g., /run/secrets, /mnt/config) followed by network access or credential use.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | ebpf:syscalls | open/read on secret mount paths |
| Command Execution (DC0064) | kubernetes:audit | process execution involving curl, grep, or awk on secrets |
| Network Connection Creation (DC0082) | cni:netflow | outbound connection to internal or external APIs |
| Field | Description |
|---|---|
| SecretMountPaths | Customize based on deployment structure (e.g., /mnt/, /run/secrets/) |
| ProcessBaselineDeviation | Tune anomaly scoring for container image deviations |
Access to local credential/config files (e.g., ~/.aws/credentials) followed by metadata API calls or cloud role assumptions.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | CloudTrail:GetObject | sensitive credential files in buckets or local image storage |
| Command Execution (DC0064) | AWS:CloudTrail | command-line execution invoking credential enumeration |
| Logon Session Creation (DC0067) | AWS:CloudTrail | sudden role assumption after credential file access |
| Field | Description |
|---|---|
| CredentialFilePattern | Regex to match common credential files (e.g., *.aws/credentials, token.txt) |
| RoleAssumptionScope | Adjust scope of roles monitored (e.g., admin, service accounts) |
| TimeWindow | Correlation timing between file access and AssumeRole |