Analytics Alerts
Browse the Cortex analytics alert reference.
1 alert match the current filters. tactic: TA0006 ✕ technique: T1082 ✕
Show ATT&CK heatmapUncommon access to /etc/passwd Informational 11 variations
A process made an uncommon attempt to access /etc/passwd.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: File and Directory Discovery (T1083) System Service Discovery (T1007) System Owner/User Discovery (T1033) System Information Discovery (T1082) Account Discovery (T1087) Account Discovery: Local Account (T1087.001) OS Credential Dumping (T1003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: EDR Discovery Analytics, Credentials Grabbing AnalyticsAttacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.Variations
Uncommon access to /etc/passwd by a security testing tool
Medium overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd by a potentially known credential dumper or enumeration script
Medium overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd by a potential Webshell
Medium overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon link creation to /etc/passwd
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd with both /etc/passwd and /etc/shadow in the command line
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd, involving a network utility
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd from temporary or world writable directories
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd with additional sensitive files in the command line
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd via a new inline bash script
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd using an interactive binary
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden
Uncommon access to /etc/passwd using an interactive shell
Low overridden
A process made an uncommon attempt to access /etc/passwd. overridden