SigmaHQ/rules/linux/lnx_password_policy_discovery.yml

title: Password Policy Discovery
id: ca94a6db-8106-4737-9ed2-3e3bb826af0a
status: stable
description: Detects password policy discovery commands
author: Ömer Günal, oscd.community
date: 2020/10/08
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md
logsource:
    service: auditd
detection:
    selection:
      type: 'PATH'
      name:
          - '/etc/pam.d/common-password'
          - '/etc/security/pwquality.conf'
          - '/etc/pam.d/system-auth'
          - '/etc/login.defs'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: low
tags:
    - attack.discovery
    - attack.t1201