Password Policy Discovery - Linux

Detects password policy discovery commands

Sigma rule (View on GitHub)

 1title: Password Policy Discovery - Linux
 2id: ca94a6db-8106-4737-9ed2-3e3bb826af0a
 3status: stable
 4description: Detects password policy discovery commands
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md
 7    - https://linux.die.net/man/1/chage
 8    - https://man7.org/linux/man-pages/man1/passwd.1.html
 9    - https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu
10author: Ömer Günal, oscd.community, Pawel Mazur
11date: 2020-10-08
12modified: 2024-12-01
13tags:
14    - attack.discovery
15    - attack.t1201
16logsource:
17    product: linux
18    service: auditd
19detection:
20    selection_files:
21        type: 'PATH'
22        name:
23            - '/etc/login.defs'
24            - '/etc/pam.d/auth'
25            - '/etc/pam.d/common-account'
26            - '/etc/pam.d/common-auth'
27            - '/etc/pam.d/common-password'
28            - '/etc/pam.d/system-auth'
29            - '/etc/security/pwquality.conf'
30    selection_chage:
31        type: 'EXECVE'
32        a0: 'chage'
33        a1:
34            - '--list'
35            - '-l'
36    selection_passwd:
37        type: 'EXECVE'
38        a0: 'passwd'
39        a1:
40            - '-S'
41            - '--status'
42    condition: 1 of selection_*
43falsepositives:
44    - Legitimate administration activities
45level: low

References

Related rules

to-top