rules/linux/privilege_escalation_shadow_file_read.toml

[metadata]
creation_date = "2022/09/01"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/01"

[rule]
author = ["Elastic"]
description = """
Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating
privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may
utilize these to move laterally undetected and access additional resources.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Shadow File Read via Command Line Utilities"
references = ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"]
risk_score = 47
rule_id = "9a3a3689-8ed1-4cdb-83fb-9506db54c61f"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation", "Credential Access"]
timestamp_override = "event.ingested"
type = "eql"

query = '''
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and user.name == "root"
  and (process.args : "/etc/shadow" or (process.working_directory: "/etc" and process.args: "shadow"))
  and not process.executable:
    ("/usr/bin/tar",
    "/bin/tar",
    "/usr/bin/gzip",
    "/bin/gzip",
    "/usr/bin/zip",
    "/bin/zip",
    "/usr/bin/stat",
    "/bin/stat",
    "/usr/bin/cmp",
    "/bin/cmp",
    "/usr/bin/sudo",
    "/bin/sudo",
    "/usr/bin/find",
    "/bin/find",
    "/usr/bin/ls",
    "/bin/ls",
    "/usr/bin/uniq",
    "/bin/uniq",
    "/usr/bin/unzip",
    "/bin/unzip",
    "/usr/sbin/restorecon",
    "/sbin/restorecon")
  and not process.parent.executable: "/bin/dracut" and
  not (process.executable : ("/bin/chown", "/usr/bin/chown") and process.args : "root:shadow") and
  not (process.executable : ("/bin/chmod", "/usr/bin/chmod") and process.args : "640")
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1068"
name = "Exploitation for Privilege Escalation"
reference = "https://attack.mitre.org/techniques/T1068/"


[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1003"
name = "OS Credential Dumping"
reference = "https://attack.mitre.org/techniques/T1003/"
[[rule.threat.technique.subtechnique]]
id = "T1003.008"
name = "/etc/passwd and /etc/shadow"
reference = "https://attack.mitre.org/techniques/T1003/008/"


[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[New Rule] Linux rule(s) to detect namespace manipulation,shadow file read (#2283 ) 2022-09-14 22:01:46 +05:30			`[metadata]`
			`creation_date = "2022/09/01"`
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429 ) 2023-01-04 09:30:07 -05:00			`integration = ["endpoint"]`
[New Rule] Linux rule(s) to detect namespace manipulation,shadow file read (#2283 ) 2022-09-14 22:01:46 +05:30			`maturity = "production"`
			`min_stack_comments = "New fields added: required_fields, related_integrations, setup"`
			`min_stack_version = "8.3.0"`
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 ) 2023-03-05 09:41:19 -09:00			`updated_date = "2023/03/01"`
[New Rule] Linux rule(s) to detect namespace manipulation,shadow file read (#2283 ) 2022-09-14 22:01:46 +05:30
			`[rule]`
			`author = ["Elastic"]`
			`description = """`
[Rule Tuning] Shadow File Read via Command Line Utilities (#2403 ) 2022-11-21 11:25:39 -05:00			`Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating`
			`privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may`
			`utilize these to move laterally undetected and access additional resources.`
[New Rule] Linux rule(s) to detect namespace manipulation,shadow file read (#2283 ) 2022-09-14 22:01:46 +05:30			`"""`
			`from = "now-9m"`
			`index = ["auditbeat-", "logs-endpoint.events."]`
			`language = "eql"`
			`license = "Elastic License v2"`
[Rule Tuning] Shadow File Read via Command Line Utilities (#2403 ) 2022-11-21 11:25:39 -05:00			`name = "Potential Shadow File Read via Command Line Utilities"`
			`references = ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"]`
[New Rule] Linux rule(s) to detect namespace manipulation,shadow file read (#2283 ) 2022-09-14 22:01:46 +05:30			`risk_score = 47`
			`rule_id = "9a3a3689-8ed1-4cdb-83fb-9506db54c61f"`
			`severity = "medium"`
[Rule Tuning] Shadow File Read via Command Line Utilities (#2403 ) 2022-11-21 11:25:39 -05:00			`tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation", "Credential Access"]`
[New Rule] Linux rule(s) to detect namespace manipulation,shadow file read (#2283 ) 2022-09-14 22:01:46 +05:30			`timestamp_override = "event.ingested"`
			`type = "eql"`

			`query = '''`
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 ) 2023-03-05 09:41:19 -09:00			`process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and user.name == "root"`
[Rule Tuning] Shadow File Read via Command Line Utilities (#2403 ) 2022-11-21 11:25:39 -05:00			`and (process.args : "/etc/shadow" or (process.working_directory: "/etc" and process.args: "shadow"))`
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429 ) 2023-01-04 09:30:07 -05:00			`and not process.executable:`
			`("/usr/bin/tar",`
			`"/bin/tar",`
			`"/usr/bin/gzip",`
			`"/bin/gzip",`
			`"/usr/bin/zip",`
			`"/bin/zip",`
			`"/usr/bin/stat",`
			`"/bin/stat",`
			`"/usr/bin/cmp",`
			`"/bin/cmp",`
			`"/usr/bin/sudo",`
			`"/bin/sudo",`
			`"/usr/bin/find",`
			`"/bin/find",`
			`"/usr/bin/ls",`
			`"/bin/ls",`
			`"/usr/bin/uniq",`
			`"/bin/uniq",`
			`"/usr/bin/unzip",`
[Rule Tuning] Potential Shadow File Read via CLI (#2594 ) 2023-02-28 18:26:38 +01:00			`"/bin/unzip",`
			`"/usr/sbin/restorecon",`
			`"/sbin/restorecon")`
			`and not process.parent.executable: "/bin/dracut" and`
			`not (process.executable : ("/bin/chown", "/usr/bin/chown") and process.args : "root:shadow") and`
			`not (process.executable : ("/bin/chmod", "/usr/bin/chmod") and process.args : "640")`
[New Rule] Linux rule(s) to detect namespace manipulation,shadow file read (#2283 ) 2022-09-14 22:01:46 +05:30			`'''`

[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429 ) 2023-01-04 09:30:07 -05:00
[New Rule] Linux rule(s) to detect namespace manipulation,shadow file read (#2283 ) 2022-09-14 22:01:46 +05:30			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`
			`[[rule.threat.technique]]`
			`id = "T1068"`
			`name = "Exploitation for Privilege Escalation"`
			`reference = "https://attack.mitre.org/techniques/T1068/"`


			`[rule.threat.tactic]`
			`id = "TA0004"`
			`name = "Privilege Escalation"`
			`reference = "https://attack.mitre.org/tactics/TA0004/"`
[Rule Tuning] Shadow File Read via Command Line Utilities (#2403 ) 2022-11-21 11:25:39 -05:00			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`
			`[[rule.threat.technique]]`
			`id = "T1003"`
			`name = "OS Credential Dumping"`
			`reference = "https://attack.mitre.org/techniques/T1003/"`
			`[[rule.threat.technique.subtechnique]]`
			`id = "T1003.008"`
			`name = "/etc/passwd and /etc/shadow"`
			`reference = "https://attack.mitre.org/techniques/T1003/008/"`
[New Rule] Linux rule(s) to detect namespace manipulation,shadow file read (#2283 ) 2022-09-14 22:01:46 +05:30
[Rule Tuning] Shadow File Read via Command Line Utilities (#2403 ) 2022-11-21 11:25:39 -05:00

			`[rule.threat.tactic]`
			`id = "TA0006"`
			`name = "Credential Access"`
			`reference = "https://attack.mitre.org/tactics/TA0006/"`
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429 ) 2023-01-04 09:30:07 -05:00