{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/file_monitoring/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Linux"],"_cs_severities":["high"],"_cs_tags":["credential_access","linux","file_monitoring"],"_cs_type":"advisory","_cs_vendors":["Linux"],"content_html":"\u003cp\u003eThis detection rule, sourced from Elastic's detection-rules repository on GitHub, focuses on identifying credential access attempts on Linux systems. The rule monitors access to a variety of sensitive files that commonly store credentials, configuration details, or other sensitive information that could be leveraged by attackers. While the specific attacker or campaign is not detailed in the provided source, the technique is commonly associated with post-exploitation activity where adversaries attempt to escalate privileges or move laterally within a compromised environment. The rule aims to provide defenders with visibility into unauthorized access to these critical files, allowing for rapid response and mitigation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a Linux system through an exploit, vulnerability, or compromised credentials.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation (Optional): If the initial access is with limited privileges, the attacker may attempt to escalate privileges using kernel exploits, misconfigurations, or other techniques.\u003c/li\u003e\n\u003cli\u003eDiscovery: The attacker performs reconnaissance to identify sensitive files containing credentials or configuration information. This might involve using commands like \u003ccode\u003efind\u003c/code\u003e, \u003ccode\u003elocate\u003c/code\u003e, or \u003ccode\u003egrep\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eCredential Access: The attacker accesses sensitive files such as \u003ccode\u003e/etc/passwd\u003c/code\u003e, \u003ccode\u003e/etc/shadow\u003c/code\u003e, \u003ccode\u003e/etc/sudoers\u003c/code\u003e, \u003ccode\u003e/var/log/auth.log\u003c/code\u003e, configuration files in \u003ccode\u003e/etc\u003c/code\u003e related to specific services (e.g., \u003ccode\u003e/etc/nginx/nginx.conf\u003c/code\u003e, \u003ccode\u003e/etc/apache2/apache2.conf\u003c/code\u003e), \u003ccode\u003e.bash_history\u003c/code\u003e, \u003ccode\u003e.ssh/id_rsa\u003c/code\u003e, and similar files.\u003c/li\u003e\n\u003cli\u003eCredential Harvesting: The attacker parses the accessed files for usernames, passwords, API keys, or other valuable credentials. Tools like \u003ccode\u003egrep\u003c/code\u003e, \u003ccode\u003eawk\u003c/code\u003e, or custom scripts may be used.\u003c/li\u003e\n\u003cli\u003eLateral Movement: Using the harvested credentials, the attacker attempts to move laterally to other systems within the network.\u003c/li\u003e\n\u003cli\u003eData Exfiltration (Optional): The attacker may exfiltrate the harvested credentials and other sensitive data to an external location.\u003c/li\u003e\n\u003cli\u003ePersistence (Optional): The attacker may establish persistence using the compromised credentials or by modifying system configuration files.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful credential access can lead to a wide range of negative consequences, including unauthorized access to sensitive data, system compromise, lateral movement within the network, and data exfiltration. Depending on the compromised system and the accessed credentials, the impact could range from minor data breaches to complete network compromise. This type of attack can affect any organization using Linux systems, with the severity depending on the sensitivity of the data stored on the compromised systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided to your SIEM and tune them based on your environment to detect suspicious file access patterns.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring (FIM) on sensitive files to detect unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eEnable and review audit logging on Linux systems to capture detailed information about file access events.\u003c/li\u003e\n\u003cli\u003eRegularly review and update user permissions to minimize the risk of unauthorized access.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) to mitigate the impact of compromised credentials.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-linux-credential-access/","summary":"This rule detects potential credential access attempts on Linux systems by monitoring access to sensitive files commonly containing credentials or configuration information.","title":"Linux Credential Access via Sensitive File Monitoring","url":"https://feed.craftedsignal.io/briefs/2024-01-linux-credential-access/"}],"language":"en","title":"CraftedSignal Threat Feed - File_monitoring","version":"https://jsonfeed.org/version/1.1"}