T1003.008 OS Credential Dumping etc passwd and etc shadow

T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow

DESCRIPTION

Suspicious Unix Utility Usage for Credential Dumping, this query would check if "passwd or shadow" files were accessed.

Related LoLBins Credential access

Reference:

https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/identifying-and-mitigating-living-off-the-land-techniques
https://attack.mitre.org/techniques/T1003/008/

ATT&CK TACTICS

T1003.008

Data source - File , Process

SENTINEL RULE QUERY

DeviceProcessEvents
| where ProcessCommandLine matches regex @"(cat|less|more|head|tail|vi|vim).*\/etc\/(passwd|shadow)"
| where InitiatingProcessFileName !in ("gc_worker","gc_linux_service","omsbaseline","qualys-scan-util","coreutils","postgres","systemd","sw-engine","qualys-cloud-agent","nessusd")
//| summarize count(), num_distinctDevices = dcount(DeviceName), set_ProcessCMD=make_set(ProcessCommandLine), set_InitiatingProcessFolderPath=make_set(InitiatingProcessFolderPath), set_InitiatingProcessFileName=make_set(InitiatingProcessFileName), set_InitiatingProcessCMD=make_set(InitiatingProcessCommandLine) , set_DeviceName=make_set(DeviceName), set_FolderPath=make_set(FolderPath), first_ = min(TimeGenerated), last_ = max(TimeGenerated) by InitiatingProcessFolderPath, AccountName, TenantId

Triage

1. Validate activities performed by the account, whether it's expected and approved. (Use the summarize statement if the search generated > 10 results)
2. Verify whether service accounts expected to perform these actions

False Positive

• Legitimate admin activity
• Activity from Service Accounts

Version

Version 1.0 (date 20/03/2024)