Password Policy Discovery
Detects password policy discovery commands
Sigma rule (View on GitHub)
1title: Password Policy Discovery
2id: ca94a6db-8106-4737-9ed2-3e3bb826af0a
3status: stable
4description: Detects password policy discovery commands
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md
7 - https://linux.die.net/man/1/chage
8 - https://man7.org/linux/man-pages/man1/passwd.1.html
9 - https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu
10author: Ömer Günal, oscd.community, Pawel Mazur
11date: 2020/10/08
12modified: 2022/12/18
13tags:
14 - attack.discovery
15 - attack.t1201
16logsource:
17 product: linux
18 service: auditd
19detection:
20 selection_files:
21 type: 'PATH'
22 name:
23 - '/etc/pam.d/common-password'
24 - '/etc/security/pwquality.conf'
25 - '/etc/pam.d/system-auth'
26 - '/etc/login.defs'
27 selection_chage:
28 type: 'EXECVE'
29 a0: 'chage'
30 a1:
31 - '--list'
32 - '-l'
33 selection_passwd:
34 type: 'EXECVE'
35 a0: 'passwd'
36 a1:
37 - '-S'
38 - '--status'
39 condition: 1 of selection_*
40falsepositives:
41 - Legitimate administration activities
42level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
passwd(1) — Linux manual page PASSWD(1) User Commands PASSWD(1) NAME top passwd - change user password SYNOPSIS top passwd [options] [LOGIN] DESCRIPTION top The passwd comma...
Read More -
Ubuntu Documentation > Ubuntu 9.04 > Ubuntu Server Guide > Security > User Management states that there is a default minimum password length for Ubuntu: By default, Ubuntu requires a minimum
Read More
Related rules
- Driverquery Lookup
- Nslookup Local
- System Time Lookup
- CHCP CodePage Locale Lookup
- Emotet Child Process Spawn Pattern