Merge PR #5102 from @CheraghiMilad - Update `Password Policy Discover…

…y - Linux` update: Password Policy Discovery - Linux - Add additional new paths for "pam.d" , namely "/etc/pam.d/common-account", "/etc/pam.d/common-auth" and "/etc/pam.d/auth" --------- Co-authored-by: Nasreddine Bencherchali <[email protected]>
SigmaHQ · Dec 1, 2024 · aac4335 · aac4335
1 parent c8e1d66
commit aac4335
Showing 1 changed file with 7 additions and 4 deletions.
diff --git a/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml b/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml
@@ -1,4 +1,4 @@
-title: Password Policy Discovery
+title: Password Policy Discovery - Linux
 id: ca94a6db-8106-4737-9ed2-3e3bb826af0a
 status: stable
 description: Detects password policy discovery commands
@@ -9,7 +9,7 @@ references:
     - https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu
 author: Ömer Günal, oscd.community, Pawel Mazur
 date: 2020-10-08
-modified: 2022-12-18
+modified: 2024-12-01
 tags:
     - attack.discovery
     - attack.t1201
@@ -20,10 +20,13 @@ detection:
     selection_files:
         type: 'PATH'
         name:
+            - '/etc/login.defs'
+            - '/etc/pam.d/auth'
+            - '/etc/pam.d/common-account'
+            - '/etc/pam.d/common-auth'
             - '/etc/pam.d/common-password'
-            - '/etc/security/pwquality.conf'
             - '/etc/pam.d/system-auth'
-            - '/etc/login.defs'
+            - '/etc/security/pwquality.conf'
     selection_chage:
         type: 'EXECVE'
         a0: 'chage'