Password Policy Enumeration

Identifies enumeration of local or global password policies using built-in commands.

id:94a5cbe1-851a-4b8f-bd9c-04c62097ae5e categories:enrich confidence:low os:linux created:7/26/2019 updated:7/26/2019

MITRE ATT&CK™ Mapping

tactics:Discovery techniques:T1201 Password Policy Discovery

Query

process where subtype.create and (
  process_name == "chage" and command_line == "* -l *" or
  process_name == "cat" and command_line == "*/etc/pam.d/common-password*"
)

Contributors

• Endgame