This analytic is to detect a possible attempt to dump or access the content of /etc/passwd and /etc/shadow to enable offline credential cracking. "etc/passwd" store user information within linux OS while "etc/shadow" contain the user passwords hash. Adversaries and threat actors may attempt to access this to gain persistence and/or privilege escalation. This anomaly detection can be a good indicator of possible credential dumping technique but it might catch some normal administrator automation scripts or during credential auditing. In this scenario filter is needed.
- Type: Anomaly
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2022-01-10
- Author: Teoderick Contreras, Splunk
- ID: 16107e0e-71fc-11ec-b862-acde48001122
|T1003.008||/etc/passwd and /etc/shadow||Credential Access|
|T1003||OS Credential Dumping||Credential Access|
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN("cat", "nano*","vim*", "vi*") AND Processes.process IN("*/etc/shadow*", "*/etc/passwd*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_to_credential_files_filter`
Associated Analytic Story
How To Implement
To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.
Kill Chain Phase
- Privilege Escalation
Known False Positives
Administrator or network operator can execute this command. Please update the filter macros to remove false positives.
|25.0||50||50||A commandline $process$ executed on $dest$|
source | version: 1