valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
93bff7f49d
SigmaHQ/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml
frack113 ecefc6e913 add missing product
2021-09-14 19:29:49 +02:00

28 lines
721 B
YAML
Raw Blame History

title: Password Policy Discovery
id: ca94a6db-8106-4737-9ed2-3e3bb826af0a
status: stable
description: Detects password policy discovery commands
author: Ömer Günal, oscd.community
date: 2020/10/08
modified: 2021/09/14
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md
logsource:
product: linux
service: auditd
detection:
selection:
type: 'PATH'
name:
- '/etc/pam.d/common-password'
- '/etc/security/pwquality.conf'
- '/etc/pam.d/system-auth'
- '/etc/login.defs'
condition: selection
falsepositives:
- Legitimate administration activities
level: low
tags:
- attack.discovery
- attack.t1201
Reference in New Issue View Git Blame Copy Permalink