Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Creation Of An User Account

Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Marie Euler, Pawel MazurCreated Mon May 18Updated Tue Dec 20759d0d51-bc99-4b5e-9add-8f5b2c8e7512linux
Log Source
Linuxauditd
ProductLinux← raw: linux
Serviceauditd← raw: auditd
Detection Logic
Detection Logic2 selectors
detection:
    selection_syscall_record_type:
        type: 'SYSCALL'
        exe|endswith: '/useradd'
    selection_add_user_record_type:
        type: 'ADD_USER' # This is logged without having to configure audit rules on both Ubuntu and Centos
    condition: 1 of selection_*
False Positives

Admin activity

References
1
Resolving title…
access.redhat.com
2
Resolving title…
access.redhat.com
3
Resolving title…
youtube.com
MITRE ATT&CK
Rule Metadata
Rule ID
759d0d51-bc99-4b5e-9add-8f5b2c8e7512
Status
test
Level
medium
Type
Detection
Created
Mon May 18
Modified
Tue Dec 20
Author
Marie Euler, Pawel Mazur
Path
rules/linux/auditd/syscall/lnx_auditd_create_account.yml
Raw Tags
attack.t1136.001attack.persistence
View on GitHub