Credentials In File Detected

Description

Detect known ceredential patterns inside data indexed in Splunk.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring, Compliance

Category

Compliance, Data Exfiltration, Zero Trust

Security Impact

Adversaries may dump credentials into local files using OS Credential Dumping or credentials might have been left in files by mistake. In cloud environments, authenticated user credentials are often stored in local configuration and credential files. This search looks for common credential patterns in log files in Splunk using a list of regexes in a lookup file.

Alert Volume

Medium

SPL Difficulty

Hard

Journey

Stage 1

MITRE ATT&CK Tactics

Credential Access

MITRE ATT&CK Techniques

Unsecured Credentials
Exploitation for Credential Access
Credentials In Files
Private Keys

MITRE Threat Groups

APT3
APT33
Leafminer
MuddyWater
OilRig
Rocke
Stolen Pencil
TA505
UNC2452

Kill Chain Phases

Actions On Objectives

Data Sources

Any Splunk Logs

   How to Implement

By default this search looks for known log file dump locations but you might ewant to include or exclude certain location before deploying. You can also add/modify/disable the regex patterns in the lookup file credential_patterns.csv in order to get a better coverage or exclude false positive matches. Not that this search is very resource heavy and will run very slow. If you enable this search make sure that you keep the time window short or the schedule to be infrequent.

   Known False Positives

This search could trigger false positive if some of the credentials patterns match other strings that might exist in the files. If that is the case in your environment you can modify the lookup with the patterns to include or exclude certain patterns.

   How To Respond

This alert triggers when clear text credentials are found inside Splunk. It might indicate a mistake or an adversary performing credential dumping activities. Recommended next steps are to investigate why the credentials are in the file and how the file ended up in Splunk.

   Help

Credentials In File Detected Help

The basic idea behind this search is to take a set of known credential patterns from a lookup file (credential_patterns.csv) and dynamically build up a statement for the rex command. This is a little known technique with SPL and has wide ranging applicability beyond this detection search. If a match is found an additional round of matching occurs to find in which field you found the offending value. The last lines of the search is there to make it easy to read for the analyst.

SPL for Credentials In File Detected

Live Data

First we select a few sources that might contain dumped credentials.