
Summary
This detection rule, authored by Elastic, identifies attempts to access the sensitive `/etc/shadow` file on Linux systems via command-line utilities. The `/etc/shadow` file is critical as it contains hashed user passwords, making it a primary target for attackers seeking to escalate privileges or perform lateral movements within the network. The rule leverages KQL (Kibana Query Language) to monitor process events, ensuring that it captures instances where standard system utilities are used to access this file while excluding legitimate administrative tasks (like changing file permissions or ownership). The rule is aimed primarily at environments integrated with Elastic Defend through the Elastic Agent, requiring specific operational setups to function properly. The analysis and response sections provide guidance on investigating potential security incidents and mitigating threats associated with unauthorized access to sensitive credential files.
Categories
- Endpoint
- Linux
Data Sources
- Process
- Application Log
- Script
- File
ATT&CK Techniques
- T1068
- T1003
- T1003.008
Created: 2022-09-01