Potential Credential Discovery via Recursive Grep

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Potential Credential Discovery via Recursive Grep

Identifies recursive grep activity on Linux or macOS where the command line suggests hunting for secrets, credentials, keys, tokens, or sensitive paths (for example .env, .git, .aws). Events are aggregated per host, user, parent process, and one-minute window, the rule surfaces activity only when at least three distinct grep command lines match in the same bucket, to reduce noise from one-off searches.

Rule type: esql

Rule indices: None

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Endpoint
OS: Linux
OS: macOS
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Discovery
Resources: Investigation Guide
Data Source: Elastic Defend

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating Potential Credential Discovery via Recursive Grep

Adversaries and insider threats sometimes use grep -r (or --recursive, -R) across directories to find passwords, API keys, private keys, cloud tokens, or repository and environment files. This rule looks for grep/egrep process starts with recursive flags and command-line patterns associated with credential and secret discovery, then requires three or more distinct command lines in the same one-minute bucket per host, user, and parent process.

Possible investigation steps

Review Esql.cmd_values for the exact patterns searched (paths, regex, file globs).
Inspect Esql.pcmd_values and process.parent.name to see the launch context (interactive shell, script, IDE, CI).
Confirm whether the user and host normally run security scans, audits, or developer tooling that legitimately greps for secrets.
If suspicious, search the same host for file access, archive exfiltration, or cloud API use in the surrounding timeframe.

False positive analysis

Security scanners, secret scanners (e.g. in CI), and compliance scripts may match. Tune by parent process, user, working directory, or organizational allowlists.
Legitimate searches in documentation for the word "password" can match; the unique_cmd >= 3 threshold reduces but does not eliminate this.

Response and remediation

If unauthorized: contain the host, reset or rotate any credentials that may have been exposed, and review VCS and cloud audit logs for follow-on abuse.

Rule query

edit

from logs-endpoint.events.process-* metadata _id, _version, _index
| where host.os.type in ("linux", "macos")
  and event.category == "process"
  and process.name in ("grep", "egrep")
  and (to_lower(process.command_line) like "* -r*" or to_lower(process.command_line) like "*--recursive*")
  and (
    process.command_line like "*password*"
    or process.command_line like "*passwd*"
    or process.command_line like "*pwd*"
    or process.command_line like "*secret*"
    or process.command_line like "*token*"
    or process.command_line like "*apikey*"
    or process.command_line like "*api_key*"
    or process.command_line like "*api.key*"
    or process.command_line like "*access_key*"
    or process.command_line like "*private_key*"
    or process.command_line like "*client_secret*"
    or process.command_line like "*credential*"
    or process.command_line like "*auth*"
    or process.command_line like "*bearer*"
    or process.command_line like "*BEGIN*PRIVATE*KEY*"
    or process.command_line like "*ssh-rsa*"
    or process.command_line like "*ghp_*"
    or process.command_line like "*github_pat*"
    or process.command_line like "*xoxb-*"
    or process.command_line like "*hooks.slack.com*"
    or process.command_line like "*discord.com/api/webhooks*"
    or process.command_line like "*/.aws/*"
    or process.command_line like "*/.git/*"
    or process.command_line like "*/.env*"
  )
  and (process.parent.command_line is null or not (to_lower(process.parent.command_line) like "*shell-snapshots*" and process.parent.name in ("bash", "sh", "zsh")))
| eval Esql.time_bucket = date_trunc(1 minute, @timestamp)
| stats Esql.unique_cmd = count_distinct(process.command_line),
        Esql.cmd_values = values(process.command_line),
        Esql.pcmd_values = values(process.parent.command_line)
  by process.name, host.id, host.name, agent.id, process.parent.name, user.name, Esql.time_bucket
| where Esql.unique_cmd >= 3
| keep host.id, host.name, agent.id, user.name, process.parent.name, Esql.*

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
Technique:
- Name: Unsecured Credentials
- ID: T1552
- Reference URL: https://attack.mitre.org/techniques/T1552/
Sub-technique:
- Name: Credentials In Files
- ID: T1552.001
- Reference URL: https://attack.mitre.org/techniques/T1552/001/
Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
Technique:
- Name: File and Directory Discovery
- ID: T1083
- Reference URL: https://attack.mitre.org/techniques/T1083/

« Appendix f: Downloadable rule update v8.19.19 Data Encrypted via OpenSSL Utility »