Query Details

Rule: Detection of Unauthorized Renaming of /etc/shadow

Shadow File Modified

Query

DeviceFileEvents
| where ActionType contains "FileRenamed"
| where FileName == @"/etc/shadow"

About this query

Rule: Detection of Unauthorized Renaming of /etc/shadow

Description

This detection rule identifies attempts to rename the /etc/shadow file on Linux systems. The /etc/shadow file contains hashed passwords for user accounts and should never be renamed during normal operations. Unauthorized renaming of this file could indicate malicious activity, such as an attempt to hide unauthorized changes to user passwords.

This rule monitors for Linux shadow file modifications. These modifications are indicative of a potential password change or user addition event. Threat actors may attempt to create new users or change the password of a user account to maintain access to a system.

Detection Logic

  • Monitors DeviceFileEvents for events where:
    • The ActionType contains "FileRenamed", and
    • The FileName is /etc/shadow.

Tags

  • File Events
  • Persistence
  • User Password Change
  • /etc/shadow
  • Linux Security
  • Suspicious Activity

Search Query

Explanation

This query is designed to detect any attempts to rename the /etc/shadow file on Linux systems. The /etc/shadow file is critical because it stores hashed passwords for user accounts, and renaming it is not a normal operation. Such an action could indicate malicious activity, such as an attempt to hide unauthorized changes to user passwords.

Key Points:

  • Purpose: To identify unauthorized renaming of the /etc/shadow file.
  • Why it matters: Renaming this file could be a sign of malicious activity aimed at maintaining unauthorized access to the system.
  • Detection Method: Monitors file events (DeviceFileEvents) for actions where:
    • The action type is "FileRenamed".
    • The file name is /etc/shadow.

Search Query:

DeviceFileEvents
| where ActionType contains "FileRenamed"
| where FileName == @"/etc/shadow"

Tags:

  • File Events
  • Persistence
  • User Password Change
  • /etc/shadow
  • Linux Security
  • Suspicious Activity

This query helps in identifying suspicious activities related to user password changes and potential persistence mechanisms used by threat actors on Linux systems.

Details

Ali Hussein profile picture

Ali Hussein

Released: July 8, 2024

Tables

DeviceFileEvents

Keywords

DeviceFileEventsUserPasswordChangeLinuxSecuritySuspiciousActivity

Operators

`|wherecontains==`

Actions

GitHub