<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>File_monitoring - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/file_monitoring/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/file_monitoring/feed.xml" rel="self" type="application/rss+xml"/><item><title>Linux Credential Access via Sensitive File Monitoring</title><link>https://feed.craftedsignal.io/briefs/2024-01-linux-credential-access/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-linux-credential-access/</guid><description>This rule detects potential credential access attempts on Linux systems by monitoring access to sensitive files commonly containing credentials or configuration information.</description><content:encoded><![CDATA[<p>This detection rule, sourced from Elastic's detection-rules repository on GitHub, focuses on identifying credential access attempts on Linux systems. The rule monitors access to a variety of sensitive files that commonly store credentials, configuration details, or other sensitive information that could be leveraged by attackers. While the specific attacker or campaign is not detailed in the provided source, the technique is commonly associated with post-exploitation activity where adversaries attempt to escalate privileges or move laterally within a compromised environment. The rule aims to provide defenders with visibility into unauthorized access to these critical files, allowing for rapid response and mitigation.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial Access: An attacker gains initial access to a Linux system through an exploit, vulnerability, or compromised credentials.</li>
<li>Privilege Escalation (Optional): If the initial access is with limited privileges, the attacker may attempt to escalate privileges using kernel exploits, misconfigurations, or other techniques.</li>
<li>Discovery: The attacker performs reconnaissance to identify sensitive files containing credentials or configuration information. This might involve using commands like <code>find</code>, <code>locate</code>, or <code>grep</code>.</li>
<li>Credential Access: The attacker accesses sensitive files such as <code>/etc/passwd</code>, <code>/etc/shadow</code>, <code>/etc/sudoers</code>, <code>/var/log/auth.log</code>, configuration files in <code>/etc</code> related to specific services (e.g., <code>/etc/nginx/nginx.conf</code>, <code>/etc/apache2/apache2.conf</code>), <code>.bash_history</code>, <code>.ssh/id_rsa</code>, and similar files.</li>
<li>Credential Harvesting: The attacker parses the accessed files for usernames, passwords, API keys, or other valuable credentials. Tools like <code>grep</code>, <code>awk</code>, or custom scripts may be used.</li>
<li>Lateral Movement: Using the harvested credentials, the attacker attempts to move laterally to other systems within the network.</li>
<li>Data Exfiltration (Optional): The attacker may exfiltrate the harvested credentials and other sensitive data to an external location.</li>
<li>Persistence (Optional): The attacker may establish persistence using the compromised credentials or by modifying system configuration files.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful credential access can lead to a wide range of negative consequences, including unauthorized access to sensitive data, system compromise, lateral movement within the network, and data exfiltration. Depending on the compromised system and the accessed credentials, the impact could range from minor data breaches to complete network compromise. This type of attack can affect any organization using Linux systems, with the severity depending on the sensitivity of the data stored on the compromised systems.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rules provided to your SIEM and tune them based on your environment to detect suspicious file access patterns.</li>
<li>Implement file integrity monitoring (FIM) on sensitive files to detect unauthorized modifications.</li>
<li>Enable and review audit logging on Linux systems to capture detailed information about file access events.</li>
<li>Regularly review and update user permissions to minimize the risk of unauthorized access.</li>
<li>Implement multi-factor authentication (MFA) to mitigate the impact of compromised credentials.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>credential_access</category><category>linux</category><category>file_monitoring</category></item></channel></rss>