Detectionhightest
Privileged User Has Been Created
Detects the addition of a new user to a privileged group such as "root" or "sudo"
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Linux
ProductLinux← raw: linux
Definition
/var/log/secure on REHL systems or /var/log/auth.log on debian like Systems needs to be collected in order for this detection to work
Detection Logic
Detection Logic2 selectors
detection:
# Example of the events that could be observed when matching these would be as follow
# Dec 21 16:42:19 testserver useradd[1337]: new user: name=butter1, UID=1000, GID=0, home=/root, shell=/bin/bash
# Dec 21 17:13:54 testserver useradd[1337]: new user: name=john, UID=0, GID=0, home=/home/john, shell=/bin/bash
# Dec 21 17:24:40 testserver useradd[1337]: new user: name=butter3, UID=1000, GID=10, home=/home/butter3, shell=/bin/bash
# Dec 21 17:30:22 testserver useradd[1337]: new user: name=butter4, UID=1000, GID=27, home=/home/butter4, shell=/bin/bash
selection_new_user:
- 'new user'
selection_uids_gids:
- 'GID=0,' # root group
- 'UID=0,' # root UID
- 'GID=10,' # wheel group
- 'GID=27,' # sudo group
condition: all of selection_*False Positives
Administrative activity
MITRE ATT&CK
Techniques
Sub-techniques
Rule Metadata
Rule ID
0ac15ec3-d24f-4246-aa2a-3077bb1cf90e
Status
test
Level
high
Type
Detection
Created
Wed Dec 21
Modified
Tue Jan 21
Author
Path
rules/linux/builtin/lnx_privileged_user_creation.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1136.001attack.t1098