Query Details

Rule : Sensitive File Copy to /tmp Directory

Shadow Passwdcopytosuspiciouslocation

Query

DeviceProcessEvents
| where FileName == "cp" and ProcessCommandLine contains "/tmp" and ProcessCommandLine has_any ("shadow", "passwd")

About this query

Rule : Sensitive File Copy to /tmp Directory

Description

Detects attempts to copy sensitive system files, such as shadow and passwd, to the /tmp directory using the cp command. These files contain critical information about user accounts and passwords, and copying them to a temporary directory may indicate malicious intent to exfiltrate or manipulate sensitive data.

Detection Logic

  • Monitors process events where the executed file name is cp.
  • Filters for instances where the process command line contains /tmp and includes either shadow or passwd, indicating an attempt to copy these sensitive files to the /tmp directory.

Tags

  • Sensitive File Copy
  • Shadow File
  • Passwd File
  • Process Events
  • Linux

Search Query

Explanation

This query is designed to detect attempts to copy sensitive system files, specifically shadow and passwd, to the /tmp directory using the cp command. These files contain critical information about user accounts and passwords, and copying them to a temporary directory could indicate malicious activity, such as an attempt to steal or manipulate sensitive data.

Key Points:

  • Monitors process events: The query looks at events related to processes.
  • Executed file name is cp: It specifically checks for the cp command, which is used to copy files.
  • Command line contains /tmp: It filters for instances where the command line includes the /tmp directory.
  • Includes shadow or passwd: It further filters for commands that involve the shadow or passwd files.

Query Breakdown:

DeviceProcessEvents
| where FileName == "cp" and ProcessCommandLine contains "/tmp" and ProcessCommandLine has_any ("shadow", "passwd")
  • DeviceProcessEvents: The dataset containing process event logs.
  • FileName == "cp": Filters events where the executed command is cp.
  • ProcessCommandLine contains "/tmp": Ensures the command involves the /tmp directory.
  • ProcessCommandLine has_any ("shadow", "passwd"): Checks if the command involves the shadow or passwd files.

Tags:

  • Sensitive File Copy: Indicates the query is looking for copying of sensitive files.
  • Shadow File: Refers to the /etc/shadow file, which stores hashed passwords.
  • Passwd File: Refers to the /etc/passwd file, which stores user account information.
  • Process Events: Indicates the query is based on process creation events.
  • Linux: Specifies the operating system this query is relevant to.

Details

Ali Hussein profile picture

Ali Hussein

Released: July 9, 2024

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsLinuxSensitiveFileCopyShadowPasswd

Operators

==andcontainshas_any

Actions

GitHub