Monitors suspicious access to password stores such as LSASS, DPAPI, Windows Credential Manager, or browser credential databases. Detects anomalous process-to-process access (e.g., Mimikatz accessing LSASS) and correlation of credential store file reads with execution of non-standard processes.
| Data Component | Name | Channel |
|---|---|---|
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| File Access (DC0055) | WinEventLog:Security | EventCode=4656 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| TargetProcesses | List of sensitive processes to monitor (e.g., lsass.exe, svchost.exe) |
| KeywordPatterns | Regex for suspicious command-line arguments such as 'dpapi', 'credman', 'mimikatz' |
Detects access to known password store files (e.g., /etc/shadow, GNOME Keyring, KWallet, browser credential databases). Monitors anomalous process read attempts and suspicious API calls that attempt to extract stored credentials.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | auditd:SYSCALL | open/read |
| Process Creation (DC0032) | auditd:EXECVE | execve |
| Field | Description |
|---|---|
| MonitoredFiles | Paths to password storage files (e.g., /etc/shadow, ~/.local/share/keyrings/) |
| SuspiciousCommands | Process or command-line keywords that indicate password extraction attempts |
Monitors Keychain database access and suspicious invocations of security and osascript utilities. Correlates process execution with attempts to dump or unlock Keychain data.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | macos:unifiedlog | access to keychain database |
| Process Creation (DC0032) | macos:unifiedlog | execution of security or osascript |
| Field | Description |
|---|---|
| AllowedApplications | Whitelist of legitimate processes accessing the Keychain |
| AlertThreshold | Number of failed access attempts before raising an alert |
Detects attempts to access or enumerate cloud password/secrets storage services such as AWS Secrets Manager, Azure Key Vault, or GCP Secret Manager. Monitors API calls for abnormal enumeration or bulk retrieval of secrets.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Enumeration (DC0083) | AWS:CloudTrail | GetSecretValue |
| OS API Execution (DC0021) | AWS:CloudTrail | Decrypt |
| Field | Description |
|---|---|
| UserContext | Correlate cloud API calls with IAM role, user, or service account context |
| AccessThreshold | Number of secret retrievals within a time window before flagging |