Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowstable

Password Policy Discovery - Linux

Detects password policy discovery commands

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Ömer Günal, oscd.community, Pawel MazurCreated Thu Oct 08Updated Sun Dec 01ca94a6db-8106-4737-9ed2-3e3bb826af0alinux
Log Source
Linuxauditd
ProductLinux← raw: linux
Serviceauditd← raw: auditd
Detection Logic
Detection Logic3 selectors
detection:
    selection_files:
        type: 'PATH'
        name:
            - '/etc/login.defs'
            - '/etc/pam.d/auth'
            - '/etc/pam.d/common-account'
            - '/etc/pam.d/common-auth'
            - '/etc/pam.d/common-password'
            - '/etc/pam.d/system-auth'
            - '/etc/security/pwquality.conf'
    selection_chage:
        type: 'EXECVE'
        a0: 'chage'
        a1:
            - '--list'
            - '-l'
    selection_passwd:
        type: 'EXECVE'
        a0: 'passwd'
        a1:
            - '-S'
            - '--status'
    condition: 1 of selection_*
False Positives

Legitimate administration activities

References
1
Resolving title…
github.com
2
Resolving title…
linux.die.net
3
Resolving title…
man7.org
4
Resolving title…
superuser.com
MITRE ATT&CK
Rule Metadata
Rule ID
ca94a6db-8106-4737-9ed2-3e3bb826af0a
Status
stable
Level
low
Type
Detection
Created
Thu Oct 08
Modified
Sun Dec 01
Author
Ömer Günal, oscd.community, Pawel Mazur
Path
rules/linux/auditd/lnx_auditd_password_policy_discovery.yml
Raw Tags
attack.discoveryattack.t1201
View on GitHub