Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowtest

Local Groups Discovery - Linux

Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Ömer Günal, Alejandro Ortuno, oscd.communityCreated Sun Oct 11Updated Wed Jun 04676381a6-15ca-4d73-a9c8-6a22e970b90dlinux
Log Source
LinuxProcess Creation
ProductLinux← raw: linux
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_1:
        Image|endswith: '/groups'
    selection_2:
        Image|endswith:
            - '/cat'
            - '/ed'
            - '/head'
            - '/less'
            - '/more'
            - '/nano'
            - '/tail'
            - '/vi'
            - '/vim'
        CommandLine|contains: '/etc/group'
    condition: 1 of selection_*
False Positives

Legitimate administration activities

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
676381a6-15ca-4d73-a9c8-6a22e970b90d
Status
test
Level
low
Type
Detection
Created
Sun Oct 11
Modified
Wed Jun 04
Author
Ömer Günal, Alejandro Ortuno, oscd.community
Path
rules/linux/process_creation/proc_creation_lnx_local_groups.yml
Raw Tags
attack.discoveryattack.t1069.001
View on GitHub