kqlElastic-2.0from elastic/detection-rules
Potential Shadow File Read via Command Line Utilities
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/linux/privilege_escalation_shadow_file_read.toml
host.os.type : "linux" and event.category : "process" and event.action : ("exec" or "exec_event") and
(
process.args : "/etc/shadow" or
(process.working_directory: "/etc" and process.args: "shadow")
) and not (
(process.executable : ("/bin/chown" or "/usr/bin/chown") and process.args : "root:shadow") or
(process.executable : ("/bin/chmod" or "/usr/bin/chmod") and process.args : "640") or
process.executable:(
/vz/* or /var/lib/docker/* or /run/containerd/* or /tmp/.criu* or /tmp/newroot/* or
"/etc/cron.daily/passwd" or "/usr/sbin/lynis" or "/usr/bin/rkhunter" or
"/usr/local/hestia/bin/v-check-user-password" or "/usr/sbin/setroubleshootd" or
"/usr/lib/tiger/scripts/check_passwdformat"
) or
process.parent.name:(gen_passwd_sets or scc_* or wazuh-modulesd)
)