Rule Documentation: Detection of Unauthorized Renaming of /etc/shadow
Shadow File Modified
Query
DeviceFileEvents
| where ActionType contains "FileRenamed"
| where FileName == @"/etc/shadow"About this query
Rule Documentation: Detection of Unauthorized Renaming of /etc/shadow
Description
This detection rule identifies attempts to rename the /etc/shadow file on Linux systems. The /etc/shadow file contains hashed passwords for user accounts and should never be renamed during normal operations. Unauthorized renaming of this file could indicate malicious activity, such as an attempt to hide unauthorized changes to user passwords.
This rule monitors for Linux shadow file modifications. These modifications are indicative of a potential password change or user addition event. Threat actors may attempt to create new users or change the password of a user account to maintain access to a system.
Detection Logic
- Monitors
DeviceFileEventsfor events where:- The
ActionTypecontains "FileRenamed", and - The
FileNameis/etc/shadow.
- The
Tags
- File Events
- Persistence
- User Password Change
- /etc/shadow
- Linux Security
- Suspicious Activity
Search Query
Explanation
This query looks for any attempts to rename the /etc/shadow file on Linux systems, which could indicate unauthorized activity related to user passwords. It monitors for file rename events specifically for the /etc/shadow file.
Details

Ali Hussein
Released: July 7, 2024
Tables
Keywords
Operators