Open DefSecSentinel opened 1 year ago
Nice rule! Would be useful to also add "*kdbx"
(KeePass files) to the list of arguments.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Description
Detects the use of Mdfind binary to search the filesystem for sensitive files that may contain credentials. Threat actors can use mdfind to search and collect sensitive files or data on a compromised host.
Target indexes
logs-*
Target Operating Systems
macOS
Tested ECS Version
1.11.0
Query
References
https://objectivebythesea.org/v5/talks/OBTS_v5_cOwens_cRoss.pdf