Symlink Etc Passwd
Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd
Sigma rule (View on GitHub)
1title: Symlink Etc Passwd
2id: c67fc22a-0be5-4b4f-aad5-2b32c4b69523
3status: test
4description: Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd
5references:
6 - https://www.qualys.com/2021/05/04/21nails/21nails.txt
7author: Florian Roth (Nextron Systems)
8date: 2019-04-05
9modified: 2021-11-27
10tags:
11 - attack.t1204.001
12 - attack.execution
13logsource:
14 product: linux
15detection:
16 keywords:
17 - 'ln -s -f /etc/passwd'
18 - 'ln -s /etc/passwd'
19 condition: keywords
20falsepositives:
21 - Unknown
22level: high
References
-
Qualys Security Advisory 21Nails: Multiple vulnerabilities in Exim ======================================================================== Contents ================================================...
Read More
Related rules
- Suspicious Execution via macOS Script Editor
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AMSI Bypass Pattern Assembly GetType
- APT29 2018 Phishing Campaign CommandLine Indicators