Searching for Passwords in Files¶
Adversaries may search local file systems and remote file shares for files containing passwords.
id: | 53de420f-7618-4330-87b1-1e57bafa7da5 |
---|---|
categories: | enrich |
confidence: | low |
os: | macos, linux |
created: | 7/26/2019 |
updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
tactics: | Credential Access |
---|---|
techniques: | T1081 Credentials in Files |
Query¶
process where subtype.create
and process_name in ("cat", "grep")
and wildcard(command_line, "*.bash_history*", "*password*", "*passwd*")