splApache-2.0from splunk/security_content
Linux Auditd Possible Access To Credential Files
The following analytic detects attempts to access or dump the contents of /etc/passwd and /etc/shadow files on Linux systems. It leverages data from Linux Auditd, focusing on processes like 'cat', 'nano', 'vim', and 'vi' accessing these files. This activity is significant as it may indicate credential dumping, a technique used by adversaries to gain persistence or escalate privileges. If confirmed malicious, privileges. If confirmed malicious, attackers could obtain hashed passwords for offline cracking, leading to unauthorized access and potential system compromise.
Quality
19
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_auditd_possible_access_to_credential_files.yml
`linux_auditd` proctitle IN ("*shadow*", "*passwd*") AND proctitle IN ("*cat *", "*nano *", "*vim *", "*vi *")
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY proctitle dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_possible_access_to_credential_files_filter`