Potential Linux Credential Dumping via Unshadow
Identifies the execution of the unshadow utility which is part of John the Ripper, a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve the combined contents of the '/etc/shadow' and '/etc/password' files. Using the combined file generated from the utility, the malicious threat actors can use them as input for password-cracking utilities or prepare themselves for future operations by gathering credential information of the victim.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/02/27"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/04/20"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the execution of the unshadow utility which is part of John the Ripper,
13a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve
14the combined contents of the '/etc/shadow' and '/etc/password' files.
15Using the combined file generated from the utility, the malicious threat actors can use them as input
16for password-cracking utilities or prepare themselves for future operations by gathering
17credential information of the victim.
18"""
19from = "now-9m"
20index = ["logs-endpoint.events.*", "endgame-*"]
21language = "eql"
22license = "Elastic License v2"
23name = "Potential Linux Credential Dumping via Unshadow"
24references = [
25 "https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/",
26]
27risk_score = 47
28rule_id = "e7cb3cfd-aaa3-4d7b-af18-23b89955062c"
29severity = "medium"
30tags = ["Elastic", "Elastic Endgame", "Host", "Linux", "Threat Detection", "Credential Access"]
31timestamp_override = "event.ingested"
32type = "eql"
33query = '''
34process where host.os.type == "linux" and process.name == "unshadow" and
35 event.type == "start" and event.action in ("exec", "exec_event") and process.args_count >= 2
36'''
37
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41[[rule.threat.technique]]
42id = "T1003"
43name = "OS Credential Dumping"
44reference = "https://attack.mitre.org/techniques/T1003/"
45[[rule.threat.technique.subtechnique]]
46id = "T1003.008"
47name = "/etc/passwd and /etc/shadow"
48reference = "https://attack.mitre.org/techniques/T1003/008/"
49
50
51
52[rule.threat.tactic]
53id = "TA0006"
54name = "Credential Access"
55reference = "https://attack.mitre.org/tactics/TA0006/"