Adversaries may be exfiltrating sensitive password files by copying them from temporary directories to external locations. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential theft and unauthorized access attempts.
Detection Rule
title: Copy Passwd Or Shadow From TMP Path
id: fa4aaed5-4fe0-498d-bbc0-08e3346387ba
status: test
description: Detects when the file "passwd" or "shadow" is copied from tmp path
references:
- https://blogs.blackberry.com/
- https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-31
tags:
- attack.credential-access
- attack.t1552.001
logsource:
product: linux
category: process_creation
detection:
selection_img:
Image|endswith: '/cp'
selection_path:
CommandLine|contains: '/tmp/'
selection_file:
CommandLine|contains:
- 'passwd'
- 'shadow'
condition: all of selection_*
falsepositives:
- Unknown
level: high
imProcessCreate
| where TargetProcessName endswith "/cp" and TargetProcessCommandLine contains "/tmp/" and (TargetProcessCommandLine contains "passwd" or TargetProcessCommandLine contains "shadow")Scenario: System Update or Patching Tool Copying Files
Description: A legitimate system update tool (e.g., rsync, scp, or ansible) may copy /etc/passwd or /etc/shadow files from a temporary directory during a patching process.
Filter/Exclusion: Check for process names like rsync, ansible, or patchmgr and exclude paths associated with known update tools.
Scenario: Scheduled Job for Backup or Sync
Description: A scheduled job (e.g., cron job using scp or rsync) might temporarily copy /etc/passwd or /etc/shadow to a temporary directory as part of a backup or sync process.
Filter/Exclusion: Exclude processes initiated by cron or systemd-timedated and filter for known backup tools like backupd or bacula.
Scenario: Admin Task to Generate Reports
Description: An admin might manually copy /etc/passwd or /etc/shadow to a temporary directory to generate user reports or audit logs using tools like getent or cut.
Filter/Exclusion: Exclude processes with user IDs of admin accounts (e.g., root, admin, or sudo) and filter for tools like getent or cut.
Scenario: Temporary File Creation by Application
Description: A legitimate application (e.g., logrotate, nginx, or docker) might temporarily copy /etc/passwd or /etc/shadow to a temporary directory during configuration or log processing.
Filter/Exclusion: Exclude processes associated with logrotate, nginx, or docker and check for temporary directories like /tmp or /var/tmp.
Scenario: File Integrity Monitoring Tool