For added context on adversary procedures and background see Data from Local System. In the case of detecting collection from local systems monitor for unexpected/abnormal access to files that may be malicious collection of local data, such as user files (e.g. Monitor file reads that may acquire user credentials from third-party password managers. Monitor file read events of web browser files that contain credentials, especially when the reading process is unrelated to the subject web browser.Ĭonsider monitoring file reads to Vault locations, %Systemdrive%\Users\\\AppData\Local\Microsoft\\\, for suspicious activity. Identify web browser files that contain credentials such as Google Chrome’s Login Data database file: AppData\Local\Google\Chrome\User Data\Default\Login Data.
Monitor for Keychain files being accessed that may be related to malicious credential collection. Monitor for files being accessed that may search for common password storage locations to obtain user credentials. Monitor for unexpected browser bookmarks viewed in isolation, this showcases part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. jpg, etc.), especially sensitive documents, through the use of automated processing after being gathered during Collection. Monitor for abnormal access to files (i.e.pdf. jpg) viewed for collecting internal data. jpg, etc.) viewed for collecting internal data.
Monitor access to file resources that contain local accounts and groups information such as /etc/passwd, /Users directories, and the Windows SAM database. If access requires high privileges, look for non-admin objects (such as users or processes) attempting to access restricted file resources. Monitor access to file resources that contain local accounts and groups information such as /etc/passwd, /Users directories, and the SAM database. Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663) Domain
0 kommentar(er)
