KQL Search

Query Details

HomeAI ToolsDevice Query

Shadow Passwdcopytosuspiciouslocation

Query

# Rule : Sensitive File Copy to /tmp Directory

## Description
Detects attempts to copy sensitive system files, such as `shadow` and `passwd`, to the `/tmp` directory using the `cp` command. These files contain critical information about user accounts and passwords, and copying them to a temporary directory may indicate malicious intent to exfiltrate or manipulate sensitive data.

- Source: [Sigma rule for detecting copying of sensitive files to /tmp](https://github.com/SigmaHQ/sigma/blob/0bb6f0c0d75ae3e1c37f9ab77d68f20cdb32ecd3/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml)

## Detection Logic
- Monitors process events where the executed file name is `cp`.
- Filters for instances where the process command line contains `/tmp` and includes either `shadow` or `passwd`, indicating an attempt to copy these sensitive files to the `/tmp` directory.

## Tags
- Sensitive File Copy
- Shadow File
- Passwd File
- Process Events
- Linux

## Search Query
```kql
DeviceProcessEvents
| where FileName == "cp" and ProcessCommandLine contains "/tmp" and ProcessCommandLine has_any ("shadow", "passwd")

Explanation

This query is designed to detect attempts to copy sensitive system files, specifically shadow and passwd, to the /tmp directory using the cp command. These files contain critical information about user accounts and passwords, and copying them to a temporary directory could indicate malicious activity, such as an attempt to steal or manipulate sensitive data.

Key Points:

  • Monitors process events: The query looks at events related to processes.
  • Executed file name is cp: It specifically checks for the cp command, which is used to copy files.
  • Command line contains /tmp: It filters for instances where the command line includes the /tmp directory.
  • Includes shadow or passwd: It further filters for commands that involve the shadow or passwd files.

Query Breakdown:

DeviceProcessEvents
| where FileName == "cp" and ProcessCommandLine contains "/tmp" and ProcessCommandLine has_any ("shadow", "passwd")
  • DeviceProcessEvents: The dataset containing process event logs.
  • FileName == "cp": Filters events where the executed command is cp.
  • ProcessCommandLine contains "/tmp": Ensures the command involves the /tmp directory.
  • ProcessCommandLine has_any ("shadow", "passwd"): Checks if the command involves the shadow or passwd files.

Tags:

  • Sensitive File Copy: Indicates the query is looking for copying of sensitive files.
  • Shadow File: Refers to the /etc/shadow file, which stores hashed passwords.
  • Passwd File: Refers to the /etc/passwd file, which stores user account information.
  • Process Events: Indicates the query is based on process creation events.
  • Linux: Specifies the operating system this query is relevant to.

Details

Ali Hussein profile picture

Ali Hussein

Released: July 9, 2024

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsLinuxSensitiveFileCopyShadowFilePasswdFile

Operators

==andcontainshas_any

Actions