Detection: Linux Auditd Find Credentials From Password Managers

Description

The following analytic detects suspicious attempts to find credentials stored in password managers, which may indicate an attacker's effort to retrieve sensitive login information. Password managers are often targeted by adversaries seeking to access stored passwords for further compromise or lateral movement within a network. By monitoring for unusual or unauthorized access to password manager files or processes, this analytic helps identify potential credential theft attempts, enabling security teams to respond quickly to protect critical accounts and prevent further unauthorized access.

Search

1`linux_auditd` `linux_auditd_normalized_execve_process` 
2| rename host as dest 
3| rename comm as process_name 
4| rename exe as process 
5| where  (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.kdbx%") OR LIKE (process_exec, "%KeePass%") OR LIKE (process_exec, "%KeePass\.enforced%") OR LIKE (process_exec, "%.lpdb%")OR LIKE (process_exec, "%.opvault%")OR LIKE (process_exec, "%.agilekeychain%")OR LIKE (process_exec, "%.dashlane%")OR LIKE (process_exec, "%.rfx%")OR LIKE (process_exec, "%passbolt%")OR LIKE (process_exec, "%.spdb%")OR LIKE (process_exec, "%StickyPassword%")OR LIKE (process_exec, "%.walletx%")OR LIKE (process_exec, "%enpass%")OR LIKE (process_exec, "%vault%")OR LIKE (process_exec, "%.kdb%")) 
6| stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest 
7| `security_content_ctime(firstTime)` 
8| `security_content_ctime(lastTime)`
9| `linux_auditd_find_credentials_from_password_managers_filter`

Data Source

Name	Platform	Sourcetype	Source
Linux Auditd Execve	Linux	'linux:audit'	'/var/log/audit/audit.log'

Macros Used

Annotations

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Implementation

To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed

Known False Positives

Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.

Associated Analytic Story

• Compromised Linux Host

• Linux Living Off The Land

• Linux Persistence Techniques

• Linux Privilege Escalation

Risk Based Analytics (RBA)

Risk Message:

A [$process_exec$] event occurred on host - [$dest$] to find credentials stored in password managers.

References

• https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html

• https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS

Detection Testing

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 3