Credentials In File Detected
Adversaries may dump credentials into local files using OS Credential Dumping or credentials might have been left in files by mistake. In cloud environments, authenticated user credentials are often stored in local configuration and credential files. This search looks for common credential patterns in log files in Splunk using a list of regexes in a lookup file.
This content is not mapped to any local saved search. Add mapping
How to Implement
By default this search looks for known log file dump locations but you might ewant to include or exclude certain location before deploying. You can also add/modify/disable the regex patterns in the lookup file credential_patterns.csv in order to get a better coverage or exclude false positive matches. Not that this search is very resource heavy and will run very slow. If you enable this search make sure that you keep the time window short or the schedule to be infrequent.
Known False Positives
This search could trigger false positive if some of the credentials patterns match other strings that might exist in the files. If that is the case in your environment you can modify the lookup with the patterns to include or exclude certain patterns.
How To Respond
This alert triggers when clear text credentials are found inside Splunk. It might indicate a mistake or an adversary performing credential dumping activities. Recommended next steps are to investigate why the credentials are in the file and how the file ended up in Splunk.
Credentials In File Detected Help
The basic idea behind this search is to take a set of known credential patterns from a lookup file (credential_patterns.csv) and dynamically build up a statement for the rex command. This is a little known technique with SPL and has wide ranging applicability beyond this detection search. If a match is found an additional round of matching occurs to find in which field you found the offending value. The last lines of the search is there to make it easy to read for the analyst.
SPL for Credentials In File Detected
|First we select a few sources that might contain dumped credentials.|