Password Policy Discovery - Linux
Detects password policy discovery commands
Sigma rule (View on GitHub)
1title: Password Policy Discovery - Linux
2id: ca94a6db-8106-4737-9ed2-3e3bb826af0a
3status: stable
4description: Detects password policy discovery commands
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md
7 - https://linux.die.net/man/1/chage
8 - https://man7.org/linux/man-pages/man1/passwd.1.html
9 - https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu
10author: Ömer Günal, oscd.community, Pawel Mazur
11date: 2020-10-08
12modified: 2024-12-01
13tags:
14 - attack.discovery
15 - attack.t1201
16logsource:
17 product: linux
18 service: auditd
19detection:
20 selection_files:
21 type: 'PATH'
22 name:
23 - '/etc/login.defs'
24 - '/etc/pam.d/auth'
25 - '/etc/pam.d/common-account'
26 - '/etc/pam.d/common-auth'
27 - '/etc/pam.d/common-password'
28 - '/etc/pam.d/system-auth'
29 - '/etc/security/pwquality.conf'
30 selection_chage:
31 type: 'EXECVE'
32 a0: 'chage'
33 a1:
34 - '--list'
35 - '-l'
36 selection_passwd:
37 type: 'EXECVE'
38 a0: 'passwd'
39 a1:
40 - '-S'
41 - '--status'
42 condition: 1 of selection_*
43falsepositives:
44 - Legitimate administration activities
45level: low
References
Related rules
- Cisco Discovery
- HackTool - CrackMapExec Execution
- Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy
- Password Policy Enumerated
- File and Directory Discovery - Linux