Adversaries attempt to read sensitive files such as /etc/passwd and /etc/shadow for credential dumping. This may involve access to the files directly via command-line utilities (e.g., cat, less), creation of backup copies, or parsing through post-exploitation frameworks. Multi-event correlation includes elevated process execution, file access/read on sensitive paths, and anomalous read behaviors tied to non-root or unusual users.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | auditd:SYSCALL | open, read |
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Field | Description |
|---|---|
| exe | Executable name used to access credentials (e.g., cat, cp, awk); can vary across environments |
| user | User context under which the access occurs; typically root, but can be non-standard in attacks |
| path | Target file paths (e.g., /etc/passwd, /etc/shadow); may vary in containerized or customized systems |
| TimeWindow | Time correlation threshold for chaining access and execution events |