diff --git a/rules/linux/privilege_escalation_shadow_file_read.toml b/rules/linux/privilege_escalation_shadow_file_read.toml index ebcd34d2a..30c2b36fd 100644 --- a/rules/linux/privilege_escalation_shadow_file_read.toml +++ b/rules/linux/privilege_escalation_shadow_file_read.toml @@ -3,35 +3,55 @@ creation_date = "2022/09/01" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/01" +updated_date = "2022/11/21" [rule] author = ["Elastic"] description = """ -Identifies the manual reading of the /etc/shadow file via the commandline using standard system utilities. -Threat actors will attempt to read this file, after elevating their privileges to root, -in order to gain valid credentials they can utilize to move laterally undetected and access additional resources. +Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating +privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may +utilize these to move laterally undetected and access additional resources. """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" -name = "Shadow File Read via Command Line Utilities" +name = "Potential Shadow File Read via Command Line Utilities" +references = ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"] risk_score = 47 rule_id = "9a3a3689-8ed1-4cdb-83fb-9506db54c61f" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation", "Credential Access"] timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and event.action == "exec" and user.name == "root" and -process.args : "/etc/shadow" and -not process.executable: ("/usr/bin/find", "/usr/bin/cmp", "/bin/ls", "/usr/sbin/restorecon", "/usr/bin/uniq") and -not process.parent.executable: "/bin/dracut" +process where event.type == "start" and event.action == "exec" and user.name == "root" + and (process.args : "/etc/shadow" or (process.working_directory: "/etc" and process.args: "shadow")) + and not process.executable: + ("/usr/bin/tar", + "/bin/tar", + "/usr/bin/gzip", + "/bin/gzip", + "/usr/bin/zip", + "/bin/zip", + "/usr/bin/stat", + "/bin/stat", + "/usr/bin/cmp", + "/bin/cmp", + "/usr/bin/sudo", + "/bin/sudo", + "/usr/bin/find", + "/bin/find", + "/usr/bin/ls", + "/bin/ls", + "/usr/bin/uniq", + "/bin/uniq", + "/usr/bin/unzip", + "/bin/unzip") + and not process.parent.executable: "/bin/dracut" ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -44,4 +64,20 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.008" +name = "/etc/passwd and /etc/shadow" +reference = "https://attack.mitre.org/techniques/T1003/008/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/"