Query Details

Rule Documentation: Detection of Unauthorized Renaming of /etc/shadow

Shadow File Modified

Query

DeviceFileEvents
| where ActionType contains "FileRenamed"
| where FileName == @"/etc/shadow"

About this query

Rule Documentation: Detection of Unauthorized Renaming of /etc/shadow

Description

This detection rule identifies attempts to rename the /etc/shadow file on Linux systems. The /etc/shadow file contains hashed passwords for user accounts and should never be renamed during normal operations. Unauthorized renaming of this file could indicate malicious activity, such as an attempt to hide unauthorized changes to user passwords.

This rule monitors for Linux shadow file modifications. These modifications are indicative of a potential password change or user addition event. Threat actors may attempt to create new users or change the password of a user account to maintain access to a system.

Detection Logic

  • Monitors DeviceFileEvents for events where:
    • The ActionType contains "FileRenamed", and
    • The FileName is /etc/shadow.

Tags

  • File Events
  • Persistence
  • User Password Change
  • /etc/shadow
  • Linux Security
  • Suspicious Activity

Search Query

Explanation

This query looks for any attempts to rename the /etc/shadow file on Linux systems, which could indicate unauthorized activity related to user passwords. It monitors for file rename events specifically for the /etc/shadow file.

Details

Ali Hussein profile picture

Ali Hussein

Released: July 7, 2024

Tables

DeviceFileEvents

Keywords

DeviceFileEventsActionTypeFileRenamedFileName/etc/shadow

Operators

wherecontains==

Actions

GitHub