Detectionhightest

Credentials In Files - Linux

Detecting attempts to extract passwords with grep

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Igor Fits, oscd.communityCreated Thu Oct 15Updated Sun Apr 30df3fcaea-2715-4214-99c5-0056ea59eb35linux

Log Source

Linuxauditd

ProductLinux← raw: linux

Serviceauditd← raw: auditd

Detection Logic

detection:
    selection:
        type: 'EXECVE'
    keywords:
        '|all':
            - 'grep'
            - 'password'
    condition: selection and keywords

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Sub-techniques

T1552.001 · Credentials In Files

Rule Metadata

Rule ID

df3fcaea-2715-4214-99c5-0056ea59eb35

Status

test

Level

high

Type

Detection

Created

Thu Oct 15

Modified

Sun Apr 30

Author

Igor Fits, oscd.community

Path

rules/linux/auditd/execve/lnx_auditd_find_cred_in_files.yml

Raw Tags

attack.credential-accessattack.t1552.001

View on GitHub