Elastic Security Detection Rules

Potential Shadow File Read via Command Line Utilities

Last updated 7 months ago on 2025-01-15
Created 3 years ago on 2022-09-01

About

Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may utilize these to move laterally undetected and access additional resources.
Tags
Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: Privilege EscalationTactic: Credential AccessData Source: Elastic EndgameData Source: Elastic DefendLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Privilege Escalation (TA0004)(opens in a new tab or window)

Exploitation for Privilege Escalation (T1068)(opens in a new tab or window)

Credential Access (TA0006)(opens in a new tab or window)

OS Credential Dumping (T1003)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.events.*endgame-*
Related Integrations

endpoint(opens in a new tab or window)

Query
host.os.type : "linux" and event.category : "process" and event.action : ("exec" or "exec_event") and
(process.args : "/etc/shadow" or (process.working_directory: "/etc" and process.args: "shadow")) and not (
  (process.executable : ("/bin/chown" or "/usr/bin/chown") and process.args : "root:shadow") or
  (process.executable : ("/bin/chmod" or "/usr/bin/chmod") and process.args : "640") or
  process.executable:(/vz/* or /var/lib/docker/* or /run/containerd/* or /tmp/.criu* or /tmp/newroot/*) or
  process.parent.name:(gen_passwd_sets or scc_* or wazuh-modulesd)
)

Install detection rules in Elastic Security

Detect Potential Shadow File Read via Command Line Utilities in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).