Linux Credential Access via Sensitive File Monitoring
This rule detects potential credential access attempts on Linux systems by monitoring access to sensitive files commonly containing credentials or configuration information.
This detection rule, sourced from Elastic's detection-rules repository on GitHub, focuses on identifying credential access attempts on Linux systems. The rule monitors access to a variety of sensitive files that commonly store credentials, configuration details, or other sensitive information that could be leveraged by attackers. While the specific attacker or campaign is not detailed in the provided source, the technique is commonly associated with post-exploitation activity where adversaries attempt to escalate privileges or move laterally within a compromised environment. The rule aims to provide defenders with visibility into unauthorized access to these critical files, allowing for rapid response and mitigation.
Attack Chain
- Initial Access: An attacker gains initial access to a Linux system through an exploit, vulnerability, or compromised credentials.
- Privilege Escalation (Optional): If the initial access is with limited privileges, the attacker may attempt to escalate privileges using kernel exploits, misconfigurations, or other techniques.
- Discovery: The attacker performs reconnaissance to identify sensitive files containing credentials or configuration information. This might involve using commands like
find,locate, orgrep. - Credential Access: The attacker accesses sensitive files such as
/etc/passwd,/etc/shadow,/etc/sudoers,/var/log/auth.log, configuration files in/etcrelated to specific services (e.g.,/etc/nginx/nginx.conf,/etc/apache2/apache2.conf),.bash_history,.ssh/id_rsa, and similar files. - Credential Harvesting: The attacker parses the accessed files for usernames, passwords, API keys, or other valuable credentials. Tools like
grep,awk, or custom scripts may be used. - Lateral Movement: Using the harvested credentials, the attacker attempts to move laterally to other systems within the network.
- Data Exfiltration (Optional): The attacker may exfiltrate the harvested credentials and other sensitive data to an external location.
- Persistence (Optional): The attacker may establish persistence using the compromised credentials or by modifying system configuration files.
Impact
Successful credential access can lead to a wide range of negative consequences, including unauthorized access to sensitive data, system compromise, lateral movement within the network, and data exfiltration. Depending on the compromised system and the accessed credentials, the impact could range from minor data breaches to complete network compromise. This type of attack can affect any organization using Linux systems, with the severity depending on the sensitivity of the data stored on the compromised systems.
Recommendation
- Deploy the Sigma rules provided to your SIEM and tune them based on your environment to detect suspicious file access patterns.
- Implement file integrity monitoring (FIM) on sensitive files to detect unauthorized modifications.
- Enable and review audit logging on Linux systems to capture detailed information about file access events.
- Regularly review and update user permissions to minimize the risk of unauthorized access.
- Implement multi-factor authentication (MFA) to mitigate the impact of compromised credentials.
Detection coverage 2
Detect Sensitive File Access for Credential Harvesting
highDetects processes accessing sensitive files commonly targeted for credential harvesting on Linux systems.
Detect Sudo Usage with Suspicious Command History Access
mediumDetects sudo commands followed by access to bash history files, potentially indicating credential theft attempts.
Detection queries are available on the platform. Get full rules →