New

The executive guide to generative AI

Read more

Potential Linux Credential Dumping via Unshadow

edit

Potential Linux Credential Dumping via Unshadow

edit

Identifies the execution of the unshadow utility which is part of John the Ripper, a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve the combined contents of the /etc/shadow and /etc/password files. Using the combined file generated from the utility, the malicious threat actors can use them as input for password-cracking utilities or prepare themselves for future operations by gathering credential information of the victim.

Rule type: eql

Rule indices:

  • logs-endpoint.events.*
  • endgame-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Elastic Endgame
  • Host
  • Linux
  • Threat Detection
  • Credential Access

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
process where host.os.type == "linux" and process.name == "unshadow" and
  event.type == "start" and event.action == "exec" and process.args_count >= 2

Framework: MITRE ATT&CKTM

On this page

Was this helpful?
Feedback