search

elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html
Other
1.91k stars 493 forks source link

[New Rule] Mdfind Sensitive File Discovery #2567

Open DefSecSentinel opened 1 year ago

DefSecSentinel commented 1 year ago

Description

Detects the use of Mdfind binary to search the filesystem for sensitive files that may contain credentials. Threat actors can use mdfind to search and collect sensitive files or data on a compromised host.

Target indexes

logs-*

Target Operating Systems

macOS

Tested ECS Version

1.11.0

Query

process where event.type == "start" and process.name : "mdfind" and process.args : ("*confidential*", "*password*", "*passw*", "*key*", "*secret*", "*cookies*", "*AKIA*", "*token*", "*kdbx*") and not process.parent.executable : ("/usr/local/kolide/bin/launcher-updates/*/Kolide.app/Contents/MacOS/launcher", "/System/*") and not process.Ext.effective_parent.executable : "/System/*"

References

https://objectivebythesea.org/v5/talks/OBTS_v5_cOwens_cRoss.pdf

swiftbird07 commented 1 year ago

Nice rule! Would be useful to also add "*kdbx" (KeePass files) to the list of arguments.

botelastic[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.