Unusual access to bash history, registry credentials paths, or private key files by unauthorized or scripting tools, with correlated file and process activity.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13 |
| Field | Description |
|---|---|
| TimeWindow | Defines the threshold time for accessing multiple sensitive files indicating automation. |
| SuspiciousProcessList | Process names to monitor (e.g., reg.exe, cmd.exe, powershell.exe, etc.) |
Reading of sensitive files like .bash_history, /etc/shadow, or private key directories by unauthorized users or unusual processes.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | auditd:SYSCALL | open/read system calls to ~/.bash_history or /etc/shadow |
| Command Execution (DC0064) | auditd:SYSCALL | execution of tools like cat, grep, or awk on credential files |
| Field | Description |
|---|---|
| SensitivePaths | Paths to credential files such as /etc/shadow or ~/.bash_history |
| UserContext | Whether the process runs under a privileged or non-interactive session |
Unusual access to ~/Library/Keychains, ~/.bash_history, or Terminal command history by unauthorized processes or users.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | macos:unifiedlog | read access to ~/Library/Keychains or history files by terminal processes |
| Command Execution (DC0064) | macos:unifiedlog | execution of 'security', 'cat', or 'grep' commands accessing credential storage |
| Field | Description |
|---|---|
| ProcessName | Tool or command used to query credentials (e.g., security, grep) |
| TargetPath | Credential file paths (e.g., ~/Library/Keychains) |
Unusual web-based access or API scraping of password managers, single sign-on sessions, or credential sync services via browser automation or anomalous API tokens.
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | saas:googleworkspace | Accessed third-party credential management service |
| Application Log Content (DC0038) | saas:zoom | unusual web session tokens and automation patterns during login |
| Field | Description |
|---|---|
| TokenAnomalyThreshold | Scoring threshold for access token entropy, reuse, or bot-like patterns |
| AccessGeoLocation | Region anomalies in SaaS portal access |
Unauthorized API or console calls to retrieve or reset password credentials, download key material, or modify SSO settings.
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | azure:signinlogs | Reset password or download key from portal |
| Cloud Service Metadata (DC0070) | CloudTrail:GetSecretValue | API call to retrieve secret or access key |
| Field | Description |
|---|---|
| SSOSettingScope | Subset of IdP settings monitored for unauthorized changes |
| SecretType | Which secrets (passwords, keys, tokens) are monitored |
Access to container image layers or mounted secrets (e.g., Docker secrets) by processes not tied to entrypoint or orchestration context.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | auditd:SYSCALL | read of /run/secrets or docker volumes by non-entrypoint process |
| Process Creation (DC0032) | containerd:Events | unusual process spawned from container image context |
| Field | Description |
|---|---|
| EntrypointAllowlist | Container entrypoints that are permitted to read secrets |
| VolumeMountPath | Paths to credentials/secrets inside container images |
Use of configuration backup utilities or CLI access to dump plaintext passwords, local user hashes, or SNMP strings.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | linux:syslog | CLI access to 'show running-config', 'show password', or 'cat config.txt' |
| Network Traffic Content (DC0085) | NSM:Flow | large transfer from management IPs to unauthorized host |
| Field | Description |
|---|---|
| ManagementInterfaceIPs | IP ranges authorized to perform credential dumps |
| CommandPattern | Regex patterns for suspicious CLI commands |