Credential Access Builtin
Query
tags:
Query:
DeviceProcessEvents
| where FileName has_any ("defaults","mkpassdb") and ProcessCommandLine has_any ("ShadowHashData", "dump")
References:
https://github.com/elastic/detection-rules/blob/e9baebc2bc18f90ae16501613cd9521a16a38ad7/rules/macos/credential_access_dumping_hashes_bi_cmds.tomlExplanation
This KQL (Kusto Query Language) query is designed to search for specific suspicious activities in device process events. Here's a simple summary:
- The query looks at events related to processes running on devices (
DeviceProcessEvents). - It filters these events to find processes where the file name contains either "defaults" or "mkpassdb".
- Additionally, it checks if the command line used to run these processes contains either "ShadowHashData" or "dump".
In essence, the query is trying to identify potential credential dumping activities on macOS devices by looking for specific process names and command line arguments that are commonly associated with such malicious behavior.
Details

Ali Hussein
Released: October 28, 2023
Tables
DeviceProcessEvents
Keywords
Devices
Operators
DeviceProcessEvents|wherehas_any