rule:
meta:
name: collect ssh keys
namespace: collection
authors:
- joakim@intezer.com
scopes:
static: function
dynamic: thread
att&ck:
- Credential Access::Unsecured Credentials::Private Keys [T1552.004]
features:
- and:
- match: host-interaction/file-system/read
- or:
- substring: "/.ssh/id_rsa"
last edited: 2023-11-24 10:35:00