-
-
Notifications
You must be signed in to change notification settings - Fork 211
Expand file tree
/
Copy pathcredential_access_unusual_access_to_ssh_keys.yml
More file actions
35 lines (33 loc) · 1.07 KB
/
credential_access_unusual_access_to_ssh_keys.yml
File metadata and controls
35 lines (33 loc) · 1.07 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
name: Unusual access to SSH keys
id: 90f5c1bd-abd6-4d1b-94e0-229f04473d60
version: 1.0.6
description: |
Identifies access by unusual process to saved SSH keys.
labels:
tactic.id: TA0006
tactic.name: Credential Access
tactic.ref: https://attack.mitre.org/tactics/TA0006/
technique.id: T1552
technique.name: Unsecured credentials
technique.ref: https://attack.mitre.org/techniques/T1552/
subtechnique.id: T1552.001
subtechnique.name: Credentials In Files
subtechnique.ref: https://attack.mitre.org/techniques/T1552/001/
condition: >
open_file and
evt.pid != 4 and file.path imatches '?:\\Users\\*\\.ssh\\known_hosts' and
ps.exe not imatches
(
'?:\\Program Files\\*',
'?:\\Program Files(x86)\\*',
'?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe',
'?:\\Windows\\System32\\svchost.exe'
) and
ps.name not imatches
(
'PuTTYNG.exe',
'putty*.exe',
'ssh.exe',
'WinSCP.exe'
)
min-engine-version: 3.0.0