[Rule Tuning] Shadow File Read via Command Line Utilities (#2403)

* Update privilege_escalation_shadow_file_read.toml description update, name update, query update, tags update, MITRE update * Update privilege_escalation_shadow_file_read.toml edited order of MITRE * changed file name to match credential_access as primary tactic changed file name to match credential_access as primary tactic * excluded common executables, not related to "read", based on telemetry excluded common executables, not related to "read", based on telemetry * update cred access reference MITRE * toml-lint file for final validation * Rename credential_access_shadow_file_access.toml to privilege_escalation_shadow_file_access.toml revert name back to privilege_escalation... * Rename privilege_escalation_shadow_file_access.toml to privilege_escalation_shadow_file_read.toml * update update_date * Changed primary tactic back to privilege_escalation to match rule name Changed primary tactic back to privilege_escalation to match rule name
2022-11-21 11:25:39 -05:00
parent a7caa4baf3
commit 1637f2dc79
1 changed files with 47 additions and 11 deletions
@@ -3,35 +3,55 @@ creation_date = "2022/09/01"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/01"
+updated_date = "2022/11/21"

 [rule]
 author = ["Elastic"]
 description = """
-Identifies the manual reading of the /etc/shadow file via the commandline using standard system utilities.
-Threat actors will attempt to read this file, after elevating their privileges to root,
-in order to gain valid credentials they can utilize to move laterally undetected and access additional resources.
+Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating
+privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may
+utilize these to move laterally undetected and access additional resources.
 """
 from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
-name = "Shadow File Read via Command Line Utilities"
+name = "Potential Shadow File Read via Command Line Utilities"
+references = ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"]
 risk_score = 47
 rule_id = "9a3a3689-8ed1-4cdb-83fb-9506db54c61f"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation", "Credential Access"]
 timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type == "start" and event.action == "exec" and user.name == "root" and
-process.args : "/etc/shadow" and
-not process.executable: ("/usr/bin/find", "/usr/bin/cmp", "/bin/ls", "/usr/sbin/restorecon", "/usr/bin/uniq") and
-not process.parent.executable: "/bin/dracut"
+process where event.type == "start" and event.action == "exec" and user.name == "root" 
+  and (process.args : "/etc/shadow" or (process.working_directory: "/etc" and process.args: "shadow"))
+  and not process.executable: 
+    ("/usr/bin/tar", 
+    "/bin/tar", 
+    "/usr/bin/gzip", 
+    "/bin/gzip", 
+    "/usr/bin/zip", 
+    "/bin/zip", 
+    "/usr/bin/stat", 
+    "/bin/stat", 
+    "/usr/bin/cmp", 
+    "/bin/cmp", 
+    "/usr/bin/sudo", 
+    "/bin/sudo", 
+    "/usr/bin/find", 
+    "/bin/find", 
+    "/usr/bin/ls", 
+    "/bin/ls", 
+    "/usr/bin/uniq", 
+    "/bin/uniq", 
+    "/usr/bin/unzip", 
+    "/bin/unzip") 
+  and not process.parent.executable: "/bin/dracut"
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
@@ -44,4 +64,20 @@ reference = "https://attack.mitre.org/techniques/T1068/"
 id = "TA0004"
 name = "Privilege Escalation"
 reference = "https://attack.mitre.org/tactics/TA0004/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1003"
+name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"
+[[rule.threat.technique.subtechnique]]
+id = "T1003.008"
+name = "/etc/passwd and /etc/shadow"
+reference = "https://attack.mitre.org/techniques/T1003/008/"

+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"