Copy Passwd Or Shadow From TMP Path

Rule Info

Name
Copy Passwd Or Shadow From TMP Path
Author
Joseliyo Sanchez, @Joseliyo_Jstnk
Description
Detects when the file "passwd" or "shadow" is copied from tmp path
Reference
https://blogs.blackberry.com/
Date
2023-01-31 00:00:00
Modified
None
Id
fa4aaed5-4fe0-498d-bbc0-08e3346387ba
Tags
attack.credential_access attack.t1552.001 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=fa4aaed5-4fe0-498d-bbc0-08e3346387ba

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #4611 from @nasbench - Promote Older Rules Status From `experimental` To `test`
2023-12-01
ae960f088
Nasreddine Bencherchali
feat: apply suggestions from code review
2023-01-31
6a337151d
Nasreddine Bencherchali
feat: add shadow file
2023-01-31
e158d6c1e
Nasreddine Bencherchali
feat: new rules from blackberry
2023-01-31
6a65920dd
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022