security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml
T
Florian Roth 645292d945 removed contributor, added to authors
2021-11-12 19:44:50 +01:00

44 lines
1.2 KiB
YAML
Raw Blame History

title: Password Policy Discovery
id: ca94a6db-8106-4737-9ed2-3e3bb826af0a
status: stable
description: Detects password policy discovery commands
author: Ömer Günal, oscd.community, Pawel Mazur
date: 2020/10/08
modified: 2021/11/12
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md
- https://attack.mitre.org/techniques/T1201/
- https://linux.die.net/man/1/chage
- https://man7.org/linux/man-pages/man1/passwd.1.html
- https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu
logsource:
product: linux
service: auditd
detection:
files:
type: 'PATH'
name:
- '/etc/pam.d/common-password'
- '/etc/security/pwquality.conf'
- '/etc/pam.d/system-auth'
- '/etc/login.defs'
chage:
type: 'EXECVE'
a0: 'chage'
a1:
- '--list'
- '-l'
passwd:
type: 'EXECVE'
a0: 'passwd'
a1:
- '-S'
- '--status'
condition: files or chage or passwd
falsepositives:
- Legitimate administration activities
level: low
tags:
- attack.discovery
- attack.t1201
Reference in New Issue View Git Blame Copy Permalink