Suspicious Passwd File Event Action

Monitors for the generation of a passwd password entry via openssl, followed by a file write activity on the "/etc/passwd" file. The "/etc/passwd" file in Linux stores user account information, including usernames, user IDs, group IDs, home directories, and default shell paths. Attackers may exploit a misconfiguration in the "/etc/passwd" file permissions or other privileges to add a new entry to the "/etc/passwd" file with root permissions, and leverage this new user account to login as root.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/01/22"
  3integration = ["endpoint", "auditd_manager"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Monitors for the generation of a passwd password entry via openssl, followed by a file write activity on the
 11"/etc/passwd" file. The "/etc/passwd" file in Linux stores user account information, including usernames, user IDs,
 12group IDs, home directories, and default shell paths. Attackers may exploit a misconfiguration in the "/etc/passwd" file
 13permissions or other privileges to add a new entry to the "/etc/passwd" file with root permissions, and leverage this
 14new user account to login as root.
 15"""
 16from = "now-9m"
 17index = ["logs-endpoint.events.*", "logs-auditd_manager.auditd-*"]
 18language = "eql"
 19license = "Elastic License v2"
 20name = "Suspicious Passwd File Event Action"
 21risk_score = 47
 22rule_id = "71d6a53d-abbd-40df-afee-c21fff6aafb0"
 23setup = """## Setup
 24
 25
 26This rule requires data coming in from Elastic Defend and Auditd Manager.
 27
 28### Elastic Defend Integration Setup
 29Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
 30the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 31
 32#### Prerequisite Requirements:
 33- Fleet is required for Elastic Defend.
 34- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 35
 36#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
 37- Go to the Kibana home page and click "Add integrations".
 38- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 39- Click "Add Elastic Defend".
 40- Configure the integration name and optionally add a description.
 41- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 42- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 43- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 44- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 45For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
 46- Click "Save and Continue".
 47- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 48For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 49
 50### Auditd Manager Integration Setup
 51The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
 52Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
 53
 54#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" on a Linux System:
 55- Go to the Kibana home page and click “Add integrations”.
 56- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
 57- Click “Add Auditd Manager”.
 58- Configure the integration name and optionally add a description.
 59- Review optional and advanced settings accordingly.
 60- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
 61- Click “Save and Continue”.
 62- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
 63
 64#### Rule Specific Setup Note
 65Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
 66However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
 67- For this detection rule the following additional audit rules are required to be added to the integration:
 68  -- "-w /etc/passwd -p wa -k etcpasswd"
 69"""
 70severity = "medium"
 71tags = [
 72    "Data Source: Auditd Manager",
 73    "Domain: Endpoint",
 74    "OS: Linux",
 75    "Use Case: Threat Detection",
 76    "Tactic: Privilege Escalation",
 77    "Data Source: Elastic Defend",
 78    "Resources: Investigation Guide",
 79]
 80type = "eql"
 81
 82query = '''
 83sequence by host.id, process.parent.pid with maxspan=1m
 84  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
 85   process.name == "openssl" and process.args == "passwd" and user.id != "0"]
 86  [file where host.os.type == "linux" and file.path == "/etc/passwd" and process.parent.pid != 1 and
 87   not auditd.data.a2 == "80000" and event.outcome == "success" and user.id != "0"]
 88'''
 89note = """## Triage and analysis
 90
 91> **Disclaimer**:
 92> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 93
 94### Investigating Suspicious Passwd File Event Action
 95
 96In Linux environments, the `/etc/passwd` file is crucial for managing user accounts. Adversaries may exploit vulnerabilities or misconfigurations to add unauthorized entries, potentially gaining root access. The detection rule monitors for the use of `openssl` to generate password entries and subsequent unauthorized modifications to the `/etc/passwd` file, flagging potential privilege escalation attempts.
 97
 98### Possible investigation steps
 99
100- Review the process execution details to confirm the use of 'openssl' with the 'passwd' argument by a non-root user (user.id != "0"). This can help identify the user attempting to generate a password entry.
101- Examine the process tree to understand the parent process of the 'openssl' command and determine if it was initiated by a legitimate or suspicious process.
102- Check the file modification event on '/etc/passwd' to verify if the file was altered by a non-root user (user.id != "0") and ensure the process.parent.pid is not 1, indicating it wasn't initiated by the init process.
103- Investigate the context of the file write event by reviewing recent logs and system changes to identify any unauthorized modifications or anomalies in user account management.
104- Correlate the event with other security alerts or logs to determine if there are additional indicators of compromise or related suspicious activities on the host.
105
106### False positive analysis
107
108- System administrators or automated scripts may use openssl to manage user passwords without malicious intent. To handle this, identify and whitelist known administrative scripts or processes that perform legitimate password management tasks.
109- Some legitimate software installations or updates might temporarily modify the /etc/passwd file. Monitor and document these activities to distinguish them from unauthorized changes, and consider creating exceptions for known software processes.
110- Developers or testers might use openssl for password generation in non-production environments. Establish a policy to differentiate between production and non-production systems, and apply the rule more strictly in production environments.
111- Scheduled maintenance tasks might involve legitimate modifications to the /etc/passwd file. Coordinate with IT teams to schedule these tasks and temporarily adjust monitoring rules during these periods to prevent false positives.
112- In environments with multiple administrators, ensure that all legitimate administrative actions are logged and reviewed. Implement a process for administrators to report their activities, allowing for the creation of exceptions for known, non-threatening actions.
113
114### Response and remediation
115
116- Immediately isolate the affected host from the network to prevent further unauthorized access or privilege escalation attempts.
117- Terminate any suspicious processes related to `openssl` or unauthorized modifications to the `/etc/passwd` file to halt ongoing malicious activities.
118- Conduct a thorough review of the `/etc/passwd` file to identify and remove any unauthorized entries, especially those with root privileges.
119- Reset passwords for all user accounts on the affected system to ensure no compromised credentials are used for further attacks.
120- Restore the `/etc/passwd` file from a known good backup if unauthorized changes are detected and cannot be manually rectified.
121- Escalate the incident to the security operations team for a comprehensive investigation into potential system vulnerabilities or misconfigurations that allowed the attack.
122- Implement enhanced monitoring and alerting for similar activities, focusing on unauthorized use of `openssl` and modifications to critical system files like `/etc/passwd`."""
123
124
125[[rule.threat]]
126framework = "MITRE ATT&CK"
127[[rule.threat.technique]]
128id = "T1068"
129name = "Exploitation for Privilege Escalation"
130reference = "https://attack.mitre.org/techniques/T1068/"
131
132
133[rule.threat.tactic]
134id = "TA0004"
135name = "Privilege Escalation"
136reference = "https://attack.mitre.org/tactics/TA0004/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Suspicious Passwd File Event Action

In Linux environments, the /etc/passwd file is crucial for managing user accounts. Adversaries may exploit vulnerabilities or misconfigurations to add unauthorized entries, potentially gaining root access. The detection rule monitors for the use of openssl to generate password entries and subsequent unauthorized modifications to the /etc/passwd file, flagging potential privilege escalation attempts.

Possible investigation steps

  • Review the process execution details to confirm the use of 'openssl' with the 'passwd' argument by a non-root user (user.id != "0"). This can help identify the user attempting to generate a password entry.
  • Examine the process tree to understand the parent process of the 'openssl' command and determine if it was initiated by a legitimate or suspicious process.
  • Check the file modification event on '/etc/passwd' to verify if the file was altered by a non-root user (user.id != "0") and ensure the process.parent.pid is not 1, indicating it wasn't initiated by the init process.
  • Investigate the context of the file write event by reviewing recent logs and system changes to identify any unauthorized modifications or anomalies in user account management.
  • Correlate the event with other security alerts or logs to determine if there are additional indicators of compromise or related suspicious activities on the host.

False positive analysis

  • System administrators or automated scripts may use openssl to manage user passwords without malicious intent. To handle this, identify and whitelist known administrative scripts or processes that perform legitimate password management tasks.
  • Some legitimate software installations or updates might temporarily modify the /etc/passwd file. Monitor and document these activities to distinguish them from unauthorized changes, and consider creating exceptions for known software processes.
  • Developers or testers might use openssl for password generation in non-production environments. Establish a policy to differentiate between production and non-production systems, and apply the rule more strictly in production environments.
  • Scheduled maintenance tasks might involve legitimate modifications to the /etc/passwd file. Coordinate with IT teams to schedule these tasks and temporarily adjust monitoring rules during these periods to prevent false positives.
  • In environments with multiple administrators, ensure that all legitimate administrative actions are logged and reviewed. Implement a process for administrators to report their activities, allowing for the creation of exceptions for known, non-threatening actions.

Response and remediation

  • Immediately isolate the affected host from the network to prevent further unauthorized access or privilege escalation attempts.
  • Terminate any suspicious processes related to openssl or unauthorized modifications to the /etc/passwd file to halt ongoing malicious activities.
  • Conduct a thorough review of the /etc/passwd file to identify and remove any unauthorized entries, especially those with root privileges.
  • Reset passwords for all user accounts on the affected system to ensure no compromised credentials are used for further attacks.
  • Restore the /etc/passwd file from a known good backup if unauthorized changes are detected and cannot be manually rectified.
  • Escalate the incident to the security operations team for a comprehensive investigation into potential system vulnerabilities or misconfigurations that allowed the attack.
  • Implement enhanced monitoring and alerting for similar activities, focusing on unauthorized use of openssl and modifications to critical system files like /etc/passwd.

Related rules

to-top