Copy Passwd Or Shadow From TMP Path

 1title: Copy Passwd Or Shadow From TMP Path
 2id: fa4aaed5-4fe0-498d-bbc0-08e3346387ba
 3status: test
 4description: Detects when the file "passwd" or "shadow" is copied from tmp path
 5references:
 6    - https://blogs.blackberry.com/
 7    - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
 8author: Joseliyo Sanchez, @Joseliyo_Jstnk
 9date: 2023/01/31
10tags:
11    - attack.credential_access
12    - attack.t1552.001
13logsource:
14    product: linux
15    category: process_creation
16detection:
17    selection_img:
18        Image|endswith: '/cp'
19    selection_path:
20        CommandLine|contains: '/tmp/'
21    selection_file:
22        CommandLine|contains:
23            - 'passwd'
24            - 'shadow'
25    condition: all of selection_*
26falsepositives:
27    - Unknown
28level: high

References

• BlackBerry Blog

  The latest news and articles about cybersecurity, critical event management, asset tracking, and secure Internet of Things including automotive from BlackBerry.

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

Related rules

• Typical HiveNightmare SAM File Export
• Azure Key Vault Modified or Deleted
• Azure Keyvault Key Modified or Deleted
• Azure Keyvault Secrets Modified or Deleted
• Linux Recon Indicators