Suspicious access to shadow file

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-10-08
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

7 Days

Required Data

  • Requires:
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Detector Tags

Kubernetes - AGENT, Containers

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

OS Credential Dumping (T1003)

Severity

Informational

Description

An unpopular process accessed the shadow file.

Attacker's Goals

Attackers may attempt to dump the contents of these sensitive files to perform offline password cracking.

Investigative actions

  • Check the process for more suspicious activity.
  • Check whether this was a legitimate action.

Variations

Suspicious access to shadow file in a Kubernetes Pod using a known text editor

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

OS Credential Dumping (T1003)

Severity

Medium

Description

An unpopular process accessed the shadow file in a Kubernetes Pod.

Attacker's Goals

Attackers may attempt to dump the contents of these sensitive files to perform offline password cracking.

Investigative actions

  • Check the process for more suspicious activity.
  • Check whether this was a legitimate action.


Suspicious access to shadow file using a known text editor

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

OS Credential Dumping (T1003)

Severity

Medium

Description

An unpopular process accessed the shadow file.

Attacker's Goals

Attackers may attempt to dump the contents of these sensitive files to perform offline password cracking.

Investigative actions

  • Check the process for more suspicious activity.
  • Check whether this was a legitimate action.


Suspicious access to shadow file in a Kubernetes Pod

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

OS Credential Dumping (T1003)

Severity

Low

Description

An unpopular process accessed the shadow file.

Attacker's Goals

Attackers may attempt to dump the contents of these sensitive files to perform offline password cracking.

Investigative actions

  • Check the process for more suspicious activity.
  • Check whether this was a legitimate action.


Suspicious access to shadow file

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

OS Credential Dumping (T1003)

Severity

Low

Description

An unpopular process accessed the shadow file.

Attacker's Goals

Attackers may attempt to dump the contents of these sensitive files to perform offline password cracking.

Investigative actions

  • Check the process for more suspicious activity.
  • Check whether this was a legitimate action.