Skip to content

DET0430 Detect Credentials Access from Password Stores

Item Value
ID DET0430
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1555 (Credentials from Password Stores)

Analytics

Windows

AN1198

Monitors suspicious access to password stores such as LSASS, DPAPI, Windows Credential Manager, or browser credential databases. Detects anomalous process-to-process access (e.g., Mimikatz accessing LSASS) and correlation of credential store file reads with execution of non-standard processes.

Log Sources
Data Component Name Channel
Process Access (DC0035) WinEventLog:Sysmon EventCode=10
File Access (DC0055) WinEventLog:Security EventCode=4663, 4670, 4656
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
TargetProcesses List of sensitive processes to monitor (e.g., lsass.exe, svchost.exe)
KeywordPatterns Regex for suspicious command-line arguments such as ‘dpapi’, ‘credman’, ‘mimikatz’

Linux

AN1199

Detects access to known password store files (e.g., /etc/shadow, GNOME Keyring, KWallet, browser credential databases). Monitors anomalous process read attempts and suspicious API calls that attempt to extract stored credentials.

Log Sources
Data Component Name Channel
File Access (DC0055) auditd:SYSCALL open/read
Process Creation (DC0032) auditd:EXECVE execve
Mutable Elements
Field Description
MonitoredFiles Paths to password storage files (e.g., /etc/shadow, ~/.local/share/keyrings/)
SuspiciousCommands Process or command-line keywords that indicate password extraction attempts

macOS

AN1200

Monitors Keychain database access and suspicious invocations of security and osascript utilities. Correlates process execution with attempts to dump or unlock Keychain data.

Log Sources
Data Component Name Channel
File Access (DC0055) macos:unifiedlog access to keychain database
Process Creation (DC0032) macos:unifiedlog execution of security or osascript
Mutable Elements
Field Description
AllowedApplications Whitelist of legitimate processes accessing the Keychain
AlertThreshold Number of failed access attempts before raising an alert

IaaS

AN1201

Detects attempts to access or enumerate cloud password/secrets storage services such as AWS Secrets Manager, Azure Key Vault, or GCP Secret Manager. Monitors API calls for abnormal enumeration or bulk retrieval of secrets.

Log Sources
Data Component Name Channel
Cloud Service Enumeration (DC0083) AWS:CloudTrail GetSecretValue
OS API Execution (DC0021) AWS:CloudTrail Decrypt
Mutable Elements
Field Description
UserContext Correlate cloud API calls with IAM role, user, or service account context
AccessThreshold Number of secret retrievals within a time window before flagging