Suspicious Unix Utility Usage for Credential Dumping, this query would check if "passwd or shadow" files were accessed.
Related LoLBins Credential access
https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/identifying-and-mitigating-living-off-the-land-techniques
https://attack.mitre.org/techniques/T1003/008/
{{("T1003.008")}}
DeviceProcessEvents
| where ProcessCommandLine matches regex @"(cat|less|more|head|tail|vi|vim).*\/etc\/(passwd|shadow)"
| where InitiatingProcessFileName !in ("gc_worker","gc_linux_service","omsbaseline","qualys-scan-util","coreutils","postgres","systemd","sw-engine","qualys-cloud-agent","nessusd")
//| summarize count(), num_distinctDevices = dcount(DeviceName), set_ProcessCMD=make_set(ProcessCommandLine), set_InitiatingProcessFolderPath=make_set(InitiatingProcessFolderPath), set_InitiatingProcessFileName=make_set(InitiatingProcessFileName), set_InitiatingProcessCMD=make_set(InitiatingProcessCommandLine) , set_DeviceName=make_set(DeviceName), set_FolderPath=make_set(FolderPath), first_ = min(TimeGenerated), last_ = max(TimeGenerated) by InitiatingProcessFolderPath, AccountName, TenantId
- Validate activities performed by the account, whether it's expected and approved. (Use the summarize statement if the search generated > 10 results)
- Verify whether service accounts expected to perform these actions
- Legitimate admin activity
- Activity from Service Accounts
Version 1.0 (date 20/03/2024)