title: Symlink Etc Passwd
id: c67fc22a-0be5-4b4f-aad5-2b32c4b69523
status: experimental
description: Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd
author: Florian Roth
date: 2019/04/05
references:
    - https://www.qualys.com/2021/05/04/21nails/21nails.txt
logsource:
    product: linux
detection:
    keywords:
        - 'ln -s -f /etc/passwd'
        - 'ln -s /etc/passwd'
    condition: keywords
falsepositives:
    - Unknown
level: high
tags:
    - attack.t1204.001 
    - attack.execution