Rule : Sensitive File Copy to /tmp Directory
Shadow Passwdcopytosuspiciouslocation
Query
DeviceProcessEvents
| where FileName == "cp" and ProcessCommandLine contains "/tmp" and ProcessCommandLine has_any ("shadow", "passwd")About this query
Rule : Sensitive File Copy to /tmp Directory
Description
Detects attempts to copy sensitive system files, such as shadow and passwd, to the /tmp directory using the cp command. These files contain critical information about user accounts and passwords, and copying them to a temporary directory may indicate malicious intent to exfiltrate or manipulate sensitive data.
Detection Logic
- Monitors process events where the executed file name is
cp. - Filters for instances where the process command line contains
/tmpand includes eithershadoworpasswd, indicating an attempt to copy these sensitive files to the/tmpdirectory.
Tags
- Sensitive File Copy
- Shadow File
- Passwd File
- Process Events
- Linux
Search Query
Explanation
This query is designed to detect attempts to copy sensitive system files, specifically shadow and passwd, to the /tmp directory using the cp command. These files contain critical information about user accounts and passwords, and copying them to a temporary directory could indicate malicious activity, such as an attempt to steal or manipulate sensitive data.
Key Points:
- Monitors process events: The query looks at events related to processes.
- Executed file name is
cp: It specifically checks for thecpcommand, which is used to copy files. - Command line contains
/tmp: It filters for instances where the command line includes the/tmpdirectory. - Includes
shadoworpasswd: It further filters for commands that involve theshadoworpasswdfiles.
Query Breakdown:
DeviceProcessEvents
| where FileName == "cp" and ProcessCommandLine contains "/tmp" and ProcessCommandLine has_any ("shadow", "passwd")
- DeviceProcessEvents: The dataset containing process event logs.
- FileName == "cp": Filters events where the executed command is
cp. - ProcessCommandLine contains "/tmp": Ensures the command involves the
/tmpdirectory. - ProcessCommandLine has_any ("shadow", "passwd"): Checks if the command involves the
shadoworpasswdfiles.
Tags:
- Sensitive File Copy: Indicates the query is looking for copying of sensitive files.
- Shadow File: Refers to the
/etc/shadowfile, which stores hashed passwords. - Passwd File: Refers to the
/etc/passwdfile, which stores user account information. - Process Events: Indicates the query is based on process creation events.
- Linux: Specifies the operating system this query is relevant to.
Details

Ali Hussein
Released: July 9, 2024
Tables
Keywords
Operators