From c6b7a19b59cd3a12ad0f9c6470eb1ed19b4ef574 Mon Sep 17 00:00:00 2001 From: Milad Cheraghi <82805580+CheraghiMilad@users.noreply.github.com> Date: Sat, 14 Dec 2024 22:19:32 +0330 Subject: [PATCH] Merge PR #5099 from @CheraghiMilad - Update `Local System Accounts Discovery - Linux` update: Local System Accounts Discovery - Linux - Add additional binaries to read password files such as "less" and "emacs" as well as additional password file locations such as "/etc/pwd.db" --- .../proc_creation_lnx_local_account.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_local_account.yml b/rules/linux/process_creation/proc_creation_lnx_local_account.yml index 40bccc49a..403ed87c4 100644 --- a/rules/linux/process_creation/proc_creation_lnx_local_account.yml +++ b/rules/linux/process_creation/proc_creation_lnx_local_account.yml @@ -4,9 +4,11 @@ status: test description: Detects enumeration of local systeam accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md -author: Alejandro Ortuno, oscd.community + - https://my.f5.com/manage/s/article/K589 + - https://man.freebsd.org/cgi/man.cgi?pwd_mkdb +author: Alejandro Ortuno, oscd.community, CheraghiMilad date: 2020-10-08 -modified: 2024-08-10 +modified: 2024-12-10 tags: - attack.discovery - attack.t1087.001 @@ -28,10 +30,17 @@ detection: - '/tail' - '/vi' - '/vim' + - '/less' + - '/emacs' + - '/sqlite3' + - '/makemap' CommandLine|contains: - '/etc/passwd' - '/etc/shadow' - '/etc/sudoers' + - '/etc/spwd.db' + - '/etc/pwd.db' + - '/etc/master.passwd' selection_4: Image|endswith: '/id' selection_5: