forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathprivilege_escalation_shadow_file_read.toml
86 lines (76 loc) · 2.45 KB
/
privilege_escalation_shadow_file_read.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
[metadata]
creation_date = "2022/09/01"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
[rule]
author = ["Elastic"]
description = """
Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating
privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may
utilize these to move laterally undetected and access additional resources.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Shadow File Read via Command Line Utilities"
references = ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"]
risk_score = 47
rule_id = "9a3a3689-8ed1-4cdb-83fb-9506db54c61f"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation", "Credential Access"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where event.type == "start" and event.action == "exec" and user.name == "root"
and (process.args : "/etc/shadow" or (process.working_directory: "/etc" and process.args: "shadow"))
and not process.executable:
("/usr/bin/tar",
"/bin/tar",
"/usr/bin/gzip",
"/bin/gzip",
"/usr/bin/zip",
"/bin/zip",
"/usr/bin/stat",
"/bin/stat",
"/usr/bin/cmp",
"/bin/cmp",
"/usr/bin/sudo",
"/bin/sudo",
"/usr/bin/find",
"/bin/find",
"/usr/bin/ls",
"/bin/ls",
"/usr/bin/uniq",
"/bin/uniq",
"/usr/bin/unzip",
"/bin/unzip")
and not process.parent.executable: "/bin/dracut"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1068"
name = "Exploitation for Privilege Escalation"
reference = "https://attack.mitre.org/techniques/T1068/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1003"
name = "OS Credential Dumping"
reference = "https://attack.mitre.org/techniques/T1003/"
[[rule.threat.technique.subtechnique]]
id = "T1003.008"
name = "/etc/passwd and /etc/shadow"
reference = "https://attack.mitre.org/techniques/T1003/008/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"