Security File Access via Common Utilities

This rule detects sensitive security file access via common utilities on Linux systems. Adversaries may attempt to read from sensitive files using common utilities to gather information about the system and its security configuration.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/11/04"
  3integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5min_stack_version = "8.13.0"
  6min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
  7updated_date = "2025/01/15"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12This rule detects sensitive security file access via common utilities on Linux systems. Adversaries may attempt to read
 13from sensitive files using common utilities to gather information about the system and its security configuration.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Security File Access via Common Utilities"
 20risk_score = 21
 21rule_id = "7efca3ad-a348-43b2-b544-c93a78a0ef92"
 22setup = """## Setup
 23
 24This rule requires data coming in from Elastic Defend.
 25
 26### Elastic Defend Integration Setup
 27Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 28
 29#### Prerequisite Requirements:
 30- Fleet is required for Elastic Defend.
 31- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 32
 33#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
 34- Go to the Kibana home page and click "Add integrations".
 35- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 36- Click "Add Elastic Defend".
 37- Configure the integration name and optionally add a description.
 38- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 39- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 40- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 41- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 42For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
 43- Click "Save and Continue".
 44- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 45For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 46"""
 47severity = "low"
 48tags = [
 49        "Domain: Endpoint",
 50        "OS: Linux",
 51        "Use Case: Threat Detection",
 52        "Tactic: Discovery",
 53        "Data Source: Elastic Defend",
 54        "Data Source: Crowdstrike",
 55        "Data Source: SentinelOne",
 56        "Data Source: Elastic Endgame",
 57        "Resources: Investigation Guide"
 58        ]
 59timestamp_override = "event.ingested"
 60type = "eql"
 61query = '''
 62process where host.os.type == "linux" and event.type == "start" and
 63  event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
 64  process.name in ("cat", "grep", "less", "more", "strings", "awk", "find", "xargs") and
 65  process.args like (
 66    "/etc/security/*", "/etc/pam.d/*", "/etc/login.defs", "/lib/security/*", "/lib64/security/*",
 67    "/usr/lib/security/*", "/usr/lib64/security/*", "/usr/lib/x86_64-linux-gnu/security/*",
 68    "/home/*/.aws/credentials", "/home/*/.aws/config", "/home/*/.config/gcloud/*credentials.json",
 69    "/home/*/.config/gcloud/configurations/config_default", "/home/*/.azure/accessTokens.json",
 70    "/home/*/.azure/azureProfile.json"
 71  )
 72'''
 73note = """## Triage and analysis
 74
 75> **Disclaimer**:
 76> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 77
 78### Investigating Security File Access via Common Utilities
 79
 80In Linux environments, common utilities like `cat`, `grep`, and `less` are essential for file manipulation and viewing. Adversaries exploit these tools to access sensitive security files, aiming to gather system and security configuration data. The detection rule identifies suspicious use of these utilities by monitoring process execution patterns and arguments, flagging attempts to access critical security files, thus helping to thwart potential reconnaissance activities.
 81
 82### Possible investigation steps
 83
 84- Review the process execution details to identify the specific utility used (e.g., cat, grep, less) and the exact file path accessed, as indicated by the process.name and process.args fields.
 85- Check the user account associated with the process execution to determine if the access was performed by a legitimate user or a potentially compromised account.
 86- Investigate the timing and frequency of the access attempt to assess whether it aligns with normal user behavior or indicates suspicious activity.
 87- Correlate the alert with other security events or logs from the same host to identify any preceding or subsequent suspicious activities, such as unauthorized logins or privilege escalation attempts.
 88- Examine the host's recent changes or updates to security configurations or user permissions that might explain the access attempt.
 89- If possible, contact the user or system owner to verify whether the access was intentional and authorized, providing additional context for the investigation.
 90
 91### False positive analysis
 92
 93- System administrators or automated scripts may frequently access security files for legitimate maintenance or configuration purposes. To handle this, create exceptions for known administrative accounts or specific scripts that regularly perform these actions.
 94- Security monitoring tools or compliance checks might trigger the rule when scanning security files. Identify these tools and exclude their processes from the rule to prevent unnecessary alerts.
 95- Backup processes that involve copying or reading security files can be mistaken for suspicious activity. Exclude backup software processes or scheduled tasks that are known to perform these operations.
 96- Developers or DevOps personnel accessing configuration files for application deployment or troubleshooting might trigger the rule. Establish a list of trusted users or roles and exclude their access patterns from detection.
 97- Regular system updates or package management operations may involve accessing security-related files. Recognize these update processes and exclude them to avoid false positives during routine maintenance.
 98
 99### Response and remediation
100
101- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
102- Terminate any suspicious processes identified by the detection rule to halt potential reconnaissance activities.
103- Conduct a thorough review of the accessed files to determine if any sensitive information was exposed or altered.
104- Change credentials and access tokens for any compromised accounts, especially those related to AWS, GCP, or Azure, to prevent unauthorized access.
105- Implement stricter access controls and permissions on sensitive security files to limit exposure to only necessary users and processes.
106- Escalate the incident to the security operations team for further investigation and to assess the potential impact on the broader network.
107- Enhance monitoring and logging for similar activities to improve detection and response times for future incidents."""
108
109[[rule.threat]]
110framework = "MITRE ATT&CK"
111
112[rule.threat.tactic]
113id = "TA0007"
114name = "Discovery"
115reference = "https://attack.mitre.org/tactics/TA0007/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Security File Access via Common Utilities

In Linux environments, common utilities like cat, grep, and less are essential for file manipulation and viewing. Adversaries exploit these tools to access sensitive security files, aiming to gather system and security configuration data. The detection rule identifies suspicious use of these utilities by monitoring process execution patterns and arguments, flagging attempts to access critical security files, thus helping to thwart potential reconnaissance activities.

Possible investigation steps

  • Review the process execution details to identify the specific utility used (e.g., cat, grep, less) and the exact file path accessed, as indicated by the process.name and process.args fields.
  • Check the user account associated with the process execution to determine if the access was performed by a legitimate user or a potentially compromised account.
  • Investigate the timing and frequency of the access attempt to assess whether it aligns with normal user behavior or indicates suspicious activity.
  • Correlate the alert with other security events or logs from the same host to identify any preceding or subsequent suspicious activities, such as unauthorized logins or privilege escalation attempts.
  • Examine the host's recent changes or updates to security configurations or user permissions that might explain the access attempt.
  • If possible, contact the user or system owner to verify whether the access was intentional and authorized, providing additional context for the investigation.

False positive analysis

  • System administrators or automated scripts may frequently access security files for legitimate maintenance or configuration purposes. To handle this, create exceptions for known administrative accounts or specific scripts that regularly perform these actions.
  • Security monitoring tools or compliance checks might trigger the rule when scanning security files. Identify these tools and exclude their processes from the rule to prevent unnecessary alerts.
  • Backup processes that involve copying or reading security files can be mistaken for suspicious activity. Exclude backup software processes or scheduled tasks that are known to perform these operations.
  • Developers or DevOps personnel accessing configuration files for application deployment or troubleshooting might trigger the rule. Establish a list of trusted users or roles and exclude their access patterns from detection.
  • Regular system updates or package management operations may involve accessing security-related files. Recognize these update processes and exclude them to avoid false positives during routine maintenance.

Response and remediation

  • Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
  • Terminate any suspicious processes identified by the detection rule to halt potential reconnaissance activities.
  • Conduct a thorough review of the accessed files to determine if any sensitive information was exposed or altered.
  • Change credentials and access tokens for any compromised accounts, especially those related to AWS, GCP, or Azure, to prevent unauthorized access.
  • Implement stricter access controls and permissions on sensitive security files to limit exposure to only necessary users and processes.
  • Escalate the incident to the security operations team for further investigation and to assess the potential impact on the broader network.
  • Enhance monitoring and logging for similar activities to improve detection and response times for future incidents.

Related rules

to-top