Deployable detection rules
3 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
3 shown of 3Linux Auditd Find Ssh Private Keys
The following analytic detects suspicious attempts to find SSH private keys, which may indicate an attacker's effort to compromise secure access to systems. SSH private keys are essential for secure authentication, and unauthorized access to these keys can enable attackers to gain unauthorized access to servers and other critical infrastructure. By monitoring for unusual or unauthorized searches for SSH private keys, this analytic helps identify potential threats to network security, allowing security teams to quickly respond and safeguard against unauthorized access and potential breaches.
Show query
`linux_auditd` execve_command IN ("*find*", "*grep*") AND execve_command IN ("*id_rsa*", "*id_dsa*", "*.key*", "*ssh_key*", "*authorized_keys*")
| rename host as dest
| rename comm as process_name
| rename exe as process
| stats count min(_time) as firstTime max(_time) as lastTime
BY argc execve_command dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_find_ssh_private_keys_filter`Linux Auditd Private Keys and Certificate Enumeration
The following analytic detects suspicious attempts to find private keys, which may indicate an attacker's effort to access sensitive cryptographic information. Private keys are crucial for securing encrypted communications and data, and unauthorized access to them can lead to severe security breaches, including data decryption and identity theft. By monitoring for unusual or unauthorized searches for private keys, this analytic helps identify potential threats to cryptographic security, enabling security teams to take swift action to protect the integrity and confidentiality of encrypted information.
Show query
`linux_auditd` execve_command IN ("*find*", "*grep*") AND execve_command IN ("*.pem*", "*.cer*", "*.crt*", "*.pgp*", "*.key*", "*.gpg*", "*.ppk*", "*.p12*", "*.pfx*", "*.p7b*")
| rename host as dest
| rename comm as process_name
| rename exe as process
| stats count min(_time) as firstTime max(_time) as lastTime
BY argc execve_command dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_private_keys_and_certificate_enumeration_filter`Windows Private Keys Discovery
The following analytic identifies processes that retrieve information related to private key files, often used by post-exploitation tools like winpeas. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that search for private key certificates. This activity is significant as it indicates potential attempts to locate insecurely stored credentials, which adversaries can exploit for privilege escalation, persistence, or remote service authentication. If confirmed malicious, this behavior could allow attackers to access sensitive information, escalate privileges, or maintain persistence within the compromised environment.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process = "*dir *"
OR
Processes.process = "*findstr*"
AND
Processes.process IN ( "*.rdg*", "*.gpg*", "*.pgp*", "*.p12*", "*.der*", "*.csr*", "*.cer*", "*.ovpn*", "*.key*", "*.ppk*", "*.p12*", "*.pem*", "*.pfx*", "*.p7b*", "*.asc*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_private_keys_discovery_filter`Showing 1-3 of 3