Symlink Etc Passwd
Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd
Sigma rule (View on GitHub)
1title: Symlink Etc Passwd
2id: c67fc22a-0be5-4b4f-aad5-2b32c4b69523
3status: test
4description: Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd
5references:
6 - https://www.qualys.com/2021/05/04/21nails/21nails.txt
7author: Florian Roth (Nextron Systems)
8date: 2019/04/05
9modified: 2021/11/27
10tags:
11 - attack.t1204.001
12 - attack.execution
13logsource:
14 product: linux
15detection:
16 keywords:
17 - 'ln -s -f /etc/passwd'
18 - 'ln -s /etc/passwd'
19 condition: keywords
20falsepositives:
21 - Unknown
22level: high
References
-
Qualys Security Advisory 21Nails: Multiple vulnerabilities in Exim ======================================================================== Contents ================================================...
Read More
Related rules
- Antivirus Exploitation Framework Detection
- CobaltStrike Service Installations - Security
- DLL Load via LSASS
- Equation Group Indicators
- Flash Player Update from Suspicious Location