Credential access attacks are cyber threats aiming to obtain users’ login credentials such as usernames, passwords, security tokens, or other authentication information. These attacks can enable adversaries to gain unauthorized access to systems, facilitating lateral movement and privilege escalation while evading detection
To effectively detect and respond to credential access attacks on Linux systems, organizations should implement a robust security monitoring system to identify abnormal behaviors. This guide demonstrates how to detect the following credential access attack techniques using Argus:
- Offline password cracking
- Unsecured credential access
Infrastructure Setup
Required Components:
- Argus: A pre-built, ready-to-use virtual machine hosting Argus central components (Argus server, Argus indexer, and Argus dashboard).
- Linux Victim Endpoint:
- OS: Ubuntu
- Argus Agent: Installed and enrolled in the Argus server.
Credential Access Attack Techniques
- Offline Password Cracking
This technique targets password hashes stored in files such as /etc/passwd and /etc/shadow. Attackers use brute-force or dictionary attacks to crack these hashes offline.
Detection Strategy: Monitor read access to these files, as they are only readable by the root user by default.
- Unsecured Credential Access
Adversaries may look for unsecured credentials in plaintext, weakly encrypted, or unhashed formats. They might inspect the ~/.bash_history file for previously used credentials or the ~/.ssh directory for private SSH keys.
Detection Strategy: Identify attempts to perform read actions on these files.
Configuration Steps
- Configuring the Ubuntu Endpoint
Install and Configure Auditd - Install, start, and enable Auditd: apt -y install auditd audispd-plugins
systemctl start auditd
systemctl enable auditd - Append audit rules to /etc/audit/rules.d/audit.rules: cat << EOF >> /etc/audit/rules.d/audit.rules
-a exit,always -F arch=b64 -F auid!=-1 -F euid!=0 -S execve -k audit-wazuh-c
-a exit,always -F arch=b64 -F path=/etc/shadow -F auid!=-1 -F euid!=0 -F perm=r -k shadow_access
-a exit,always -F arch=b64 -F path=/etc/passwd -F auid!=-1 -F euid!=0 -F perm=r -k passwd_access
-a exit,always -F arch=b64 -F path=//.bash_history -F auid!=-1 -F euid!=0 -F perm=r -k history_access
-a exit,always -F arch=b64 -F dir=//.ssh/ -F auid!=-1 -F euid!=0 -F perm=r -k ssh_access
EOF Replace with the appropriate path. - Reload audit rules and confirm: sudo auditctl -R /etc/audit/rules.d/audit.rules
sudo auditctl -l - Update the Argus agent configuration in /var/ossec/etc/ossec.conf: audit /var/log/audit/audit.log
- Restart the Argus agent service: sudo systemctl restart wazuh-agent
- Configuring the Argus Server
Update the Audit Keys List - Append custom audit keys to /var/ossec/etc/lists/audit-keys: cat << EOF >> /var/ossec/etc/lists/audit-keys
passwd_access:passwd
shadow_access:shadow
history_access:history
ssh_access:ssh
EOF
Add Detection Rules - Add the following rules to /var/ossec/etc/rules/local_rules.xml: 80700 etc/lists/audit-keys File access – The file $(audit.file.name) was accessed audit_command, T1003.008
80700 etc/lists/audit-keys Possible adversary activity – $(audit.file.name) was accessed audit_command, T1003.008 80700 etc/lists/audit-keys Possible adversary activity – $(audit.file.name) was accessed audit_command,
80700 etc/lists/audit-keys Possible adversary activity – $(audit.file.name) was accessed audit_command,
80700 /usr/bin/*grep cred|password|login Possible adversary activity – $(audit.file.name) was accessed audit_command,
100131, 100132, 100133 Possible adversary activity – searching for previously used credentials in system files audit_command, T1552.001 - Restart the Argus manager to apply changes: systemctl restart wazuh-manager
Detection Results
Navigate to the Threat Hunting section on the Argus dashboard to view alerts generated by these configurations. If alerts are not visible, apply the following filter:
- Click + Add filter.
- Set:
- Field: rule.id
- Operator: is one of
- Values: 100110, 100120, and 100130
- Click Save.