Searching for Passwords in Files¶
Adversaries may search local file systems and remote file shares for files containing passwords.
| id: | 53de420f-7618-4330-87b1-1e57bafa7da5 |
|---|---|
| categories: | enrich |
| confidence: | low |
| os: | macos, linux |
| created: | 7/26/2019 |
| updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
| tactics: | Credential Access |
|---|---|
| techniques: | T1081 Credentials in Files |
Query¶
process where subtype.create
and process_name in ("cat", "grep")
and wildcard(command_line, "*.bash_history*", "*password*", "*passwd*")